A Fake Job Offer Reportedly Led to Axie Infinity’s $600M Hack

Last August, Play to Earn game Axie Infinity was on top of the world. The Pokemon-inspired game was generating developer Sky Mavis over $15 million in revenue each day, and some players in Southeast Asia were earning enough cryptocurrency to live off. Fast forward 11 months, and the price of Axie NFTs and the game’s Smooth Love Potion cryptocurrency have collapsed. There are many reasons why, but one of the most important is a hack that took place in March.

A hacker managed to exploit the Ronin blockchain that Axie Infinity uses to steal $620 million worth of crypto. Sky Mavis previously said it was achieved through a phishing scheme, and the US government said Lazarus, a North Korea-backed outfit, was behind the heist. HAS report from The Block on Wednesday revealed how the hack was socially engineered: A fake job offer.

A senior Sky Mavis engineer was targeted by “recruiters” on LinkedIn who hoped to sign him to their company, reports The Block, citing sources familiar with the matter. The recruiting process involved several interviews and ended with a job offer, sent via PDF. The company, however, didn’t exist, and the PDF was laced with spyware.

Ronin is a Proof-of-Authority blockchain, which means control over the network is given to hand-picked validators. At the time of the hack, Axie Infinity had nine validators. For a bad actor to take control of Ronin, they needed to take control of five of those nine validators. For a bad actor to take complete control of the bitcoin blockchain, which uses Proof-of-Work, they would need 51% of the electricity being utilized by every bitcoin miner in the world. While bitcoin is designed to be secure at all costs, Ronin’s sole purpose was to provide cheap, quick transactions for Axie Infinity players.

A screenshot of Axie Infinity's marketplace.

Axie Infinity sees players battle and breed Axie monsters, which are owned as NFTs. At its peak, bottom-tier Axies were selling for over $300 each. They now fetch far less — with Axies often selling for under $10.

Sky Mavis

The spyware encased in that PDF, reports The Block, allowed the hacker to control four of Ronin’s nine validators. Hackers then got access to community-run Axie DAO, which had access to one more validator. Once they controlled the network, hackers drained Axie Infinity’s treasury of $25 million in the USDC stablecoin and 173,600 ether. After ether’s dramatic price drop, the total steal is now worth $229 million.

Sky Mavis was contacted for comment but didn’t immediately respond. In an April post mortemthe Axie team wrote: “Sky Mavis employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised. This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.”

Since the hack, Sky Mavis has attempted to make amends with Axie Players. Following a $150 million funding round in April, Sky Mavis is reimbursing players who lost crypto in the hack. To boost up security, Ronin now has 11 validators rather than nine.

Leave a Comment