Skip to content

Fake LinkedIn job offer caused the Axie Infinity hack

  • by
  • 3 min read

Photo via The Lunacian

After months of investigation, Sky Mavis has discovered that its Axie Infinity hack, hailed as one of the largest crypto heists ever, started with an elaborate social engineering scheme targeting Sky Mavis employees via LinkedIn.

Their employees were approached via LinkedIn with a fake job offer. After one developer showed interest, they were taken through multiple interview rounds until eventually offered a position with a quite generous compensation package.

After the attackers, identified by the US government as the North Korean group Lazarus, had built up trust with the developer, they sent over a PDF document containing malware that infected the individual’s device, hence kicking off the hack. 

This malware helped the attackers take control of four out of the nine validator nodes for the Ronin Network. Since the Ronin Network required five validators up until that point, the attackers were now one endpoint short. 

Photo by morrowind/shutterstock. Com
The hack was one of the biggest crypto heists in history. | Photo by Morrowind/Shutterstock.com

Access to the fifth node came from the theoretically decentralised Axie Decentralised Autonomous Organisation (DAO). Back in November 2021, Sky maxis asked Axie DAO for help dealing with a heavy transaction load at the time. 

Axie DAO ended up allow listing Sky Mavis to sign transactions on its behalf starting in November. While this was discontinued next month, Axie never blocklisted Sky Mavis’ access. Once the attackers had access to Sky Mavis systems, they could extract the final signature from Axie DAO validators.

The hack ended up costing Sky Mavis a loss of 173,600 Ethereum and 25.5M USDC in two separate transactions totalling about $625 million, closer to $225 million at the time of writing, following recent fluctuations in crypto prices. 

The hack was discovered a week later, on March 23, after a user couldn’t withdraw 5000 Ethereum from the platform and reported it to the team. Earlier investigations by the company cited an advanced spear-phishing attack that targeted and compromised an employee who no longer worked at Sky Mavis; however, that explanation didn’t entirely sit well with the attack mechanics. 

Since the attack, Sky Mavis has increased the number of validators to 11, with plans to go as high as 100. As for the rest, the company has spent the past couple of months recovering from the attack, raising $150 million in funding to reimburse players and transactions on the company’s Ronin bridge were finally reopened last week. 

In the News: China is trying to steal Western tech; warn FBI and MI5

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Cybercriminals are using the Pope’s death to preach malware

This is an image of phishing featured storyblocks

North Korean IT workers are using deepfakes to get jobs

This is an image of cisco 3289sd

Cisco confirms several products affected by RCE flaw

This is an image of telecom tower

South Korea’s biggest telco discloses data breach

This is an image of chatgpt featured 21324132

Washington Post partners with OpenAI to ensure ChatGPT gets news right

This is an image of https 3344700 1280

SSL.com patches abused certificate issue vulnerability

>