Phishing Scam Allegedly Behind $540 Million Axie Infinity Hack
NFT Pokémon clone Axie Infinity went from being famous for players profiting from “play-to-earn” gaming scams to being infamous for being hacked out of $540 million in cryptocurrency. Now following a new report by The block we know what made the security breach possible: a sophisticated phishing attempt socially engineered on LinkedIn that sounds like a deleted episode of Mr. Robot.
For those unfamiliar with the Axie griften, developer Sky Mavis developed an Ethereum-linked sidechain called the Ronin Network and grafted onto a game about fighting and breeding cute monsters called Axie Infinity. Borrow mechanics from the likes of Pokémon, Neopetsand Hearthstonee, players were invited to earn Ethereum-based cryptocurrencies in the game by grinding, and for a while it turned into a huge profit as fresh players poured their time and money into the platform. So earlier this year the company hit all kinds of obstaclesfrom stagnant growth to currency inflation and not least one of them the biggest crypto hack of all time.
Developer Sky Mavis revealed back in April that the security breach was made possible by an employee who was “compromised” by an “advanced spear phishing attack.” “The attacker was able to exploit this access to penetrate Sky Mavis’ IT infrastructure and gain access to the validator nodes,” the company wrote at the time.
The block reporting nowbased on two sources with direct knowledge of the incident, on which the employee in question was a senior engineer Axie Infinity and the way to infiltrate the computer was a job offer that was too good to be true.
In accordance The blockfraudsters representing a fake company approached the engineer through LinkedIn, encouraged them to apply for a job, held several rounds of interviews, and eventually made a job offer that included an “extremely generous compensation package.” But the offer was contained in a PDF file.
After the brand downloaded it, the spyware was reportedly able to infiltrate Ronin Network’s systems and give hackers access to four of the five nodes (out of a total of nine) they needed to withdraw money. Access to the fifth was gained through something called the Axie DAO – a separate organization that Sky Mavis had enlisted to help with the influx of transactions during the height of Axie Infinityits popularity. Sky Mavis had failed to remove DAO’s access from her systems after the help was no longer needed.
One of the much-touted appeals of blockchain technology is its ability to make databases public and accessible to all, while keeping them secure. But any locked door, no matter how strong, is only as secure as the person who holds the key to it. Here with Axie Infinity, the vulnerability of Sky Mavis’ staff was compounded by careless shortcuts it took to stay on top of the game’s meteoric growth last fall. (Sky Mavis has since increased its total validator nodes to 11, with long-term plans to have over 100.)
Of course, in the meantime, the company still has to pay back everyone who lost money in the hack. In April, that raised another $150 million, partly in an attempt to make the existing player base whole again. The same month was FBI Identified North Korea Hackers “Lazarus Group” as the culprits behind Axie Infinity hit. The federal law enforcement agency has also recently warned companies against accidentally hiring North Korean hackers as external IT specialists.