How a Fake Offer Stole $540 Million from Axie Infinity?
TechFlow Selected TechFlow Selected
How a Fake Offer Stole $540 Million from Axie Infinity?
Trojan horse hidden in the offer.
Navigating Web3 tides with focused insights
Original author: Ryan Weeks
Translation: Katie Gu
Earlier this year, hackers tricked a senior engineer at Axie Infinity into applying for a job at a fictional company, ultimately leading to a loss of $540 million in cryptocurrency. Here are the details of the Axie Infinity hack, as reported by The Block.
Few job searches have ended more dramatically than that of the Axie Infinity senior engineer. His interest in joining a fake company ultimately facilitated one of the largest hacks in crypto history.
In November last year, Axie Infinity saw 2.7 million daily active users within its in-game NFT ecosystem and weekly trading volumes reaching $214 million—both figures have since declined significantly.
Then, in March this year, Ronin, the Ethereum sidechain powering the P2E blockchain gaming leader Axie Infinity, lost $540 million worth of cryptocurrency. While the U.S. government later linked the incident to the North Korean hacker group Lazarus, full details of how the attack unfolded had not been publicly disclosed. In reality, the breach began with nothing more than a fraudulent job posting. Two individuals familiar with the matter said an Axie Infinity senior engineer was deceived into applying for a position at a company that didn't actually exist. Due to the sensitivity of the issue, both sources requested anonymity.
According to insiders, earlier this year, individuals posing as recruiters from the fake company contacted an employee of Sky Mavis, Axie Infinity’s developer, via LinkedIn and WhatsApp, luring him with the prospect of a new job opportunity. After multiple rounds of interviews, a Sky Mavis engineer reportedly received an extremely lucrative job offer.
The fake job offer was delivered as a PDF file. When the engineer downloaded it, malware infiltrated the Ronin network's system. From there, the hackers were able to compromise four of the nine validator nodes on the Ronin network—just one short of gaining full control.
In a blog post published on April 27, Sky Mavis analyzed the hack, stating: “Employees are continuously targeted by sophisticated phishing attacks across various social channels, and one employee was compromised. That employee is no longer with Sky Mavis. The attackers successfully exploited this access to penetrate Sky Mavis’ IT infrastructure and gain access to validator nodes.”
Validators perform various functions in a blockchain, including creating blocks of transactions and updating data oracles. Ronin uses a so-called “proof-of-authority” system to sign transactions, concentrating power among nine trusted validators.
Blockchain analytics firm Elliptic explained in a blog post from April: “If five out of the nine validators approve, funds can be transferred. The attackers managed to obtain the private cryptographic keys of five validators, which was sufficient to steal the crypto assets.”
However, after infiltrating Ronin’s systems through the fake job offer, the hackers initially only controlled four of the nine validators—meaning they needed one more to achieve full control over the Ronin network.
In its post-incident analysis, Sky Mavis revealed that the hackers successfully leveraged Axie DAO—an organization supporting the game’s ecosystem—to complete the theft. Sky Mavis had previously requested Axie DAO’s help in November 2021 to manage transaction load issues.
“Axie DAO allowed Sky Mavis to sign various transactions on its behalf. This permission was paused in December 2021, but the access list was never revoked,” Sky Mavis stated in the blog post. “Once the attackers gained access to Sky Mavis’ systems, they were able to obtain signatures from the Axie DAO validator.”
One month after the hack, Sky Mavis increased the number of its validator nodes to 11 and stated in its blog that its long-term goal is to exceed 100.
When contacted, Sky Mavis declined to comment on how the hack occurred. LinkedIn also repeatedly declined to comment.
Earlier today, cybersecurity firm ESET released an investigation revealing that the North Korean Lazarus hacker group has used LinkedIn and WhatsApp to impersonate recruiters targeting aerospace and defense contractors. However, the report did not link this technique directly to the Sky Mavis hack.
In early April, Sky Mavis raised $150 million in a funding round led by Binance. The proceeds, along with the company’s reserve funds, will be used to compensate users affected by the breach. Axie Infinity recently announced it would begin returning funds to users starting June 28. The Ronin Ethereum bridge, which was abruptly halted during the hack, also resumed operations last week.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
