Earlier in March this year, Ronin Network (RON), a blockchain network underpinning the famous crypto game Axie Infinity and Axie DAO suffered the largest crypto hack against a decentralized finance network reported to date.
In May 2022, the United States issued an advisory according to which highly skilled hackers from North Korea were trying to get employed by posing as IT freelancers. Now, it has been revealed that Axie Infinity hacking was socially engineered in which North Korean government-backed hacker group Lazarus used a fake job offer to infiltrate Sky Mavis’ network by sending one of the company’s employees a PDF file containing spyware.
Lazarus’ involvement in such a high-profile hack should not come as a surprise. In January 2022, researchers from different crypto security firms concluded that North Korean hackers have so far stolen $1.3 billion from cryptocurrency exchanges across the globe, while their prime suspect in these hacks was the infamous Lazarus gang.
Axie Infinity Hack
The employee, an ex-senior engineer at the company, took the bait and thought that it was a high-paying job offer from another company and opened the PDF. However, in reality, this company didn’t exist. During the recruiting process, the ex-employee gave away critical personal information, which attackers used to steal from the company.
Sky Mavis explained that its employees are constantly threatened by “advanced spear-phishing attacks on various social channels.” In this instance, one employee was fooled, who doesn’t even work at Sky Mavis anymore.
It is worth noting that the play-to-earn game Axie Infinity is a Pokemon-inspired game developed by Sky Mavis and rakes in approximately $15 million in revenue daily.
How was Ronin Hacked?
According to The Block, when the hacking took place, Axie Infinity had nine validators from its proof-of-authority, an Ethereum-based sidechain Ronin.
“The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes,” Sky Mavis stated.
The attacker had to capture five out of nine validators to infiltrate the company’s networks. The spyware-laced PDF helped the attacker control 4 validators and access the community-run Axie DAO (Decentralized Autonomous Organization), from where they got control of the 5th validator.
After compromising the network, the attackers stole $25 million worth of USDC stablecoin and 173,600 ether (roughly $597 million) from Axie Infinity’s treasury, collectively stealing crypto worth around $625 million.
Nevertheless, Ronin sidechain increased the number of validators to 11 to enhance security, whereas Sky Mavis is reimbursing Axie Players who lost crypto due to the attack. The company underwent a $150 million funding round back in April 2022.
The US government claims that the notorious North Korean hacker group Lazarus is responsible for the attack. This group specializes in such attacks.
This isn’t the first time that Lazarus has targeted the blockchain industry. However, this is uncommon for Lazarus to use social engineering to invade a company’s networks. In fact, in June 2020, Slovak internet security company ESET warned LinkedIn users of Lazarus’ involvement in a sophisticated LinkedIn recruiter scam targeting military and aerospace firms.
More Lazarus Gang Hacks
- US-Cert warns of North Korean BLINDINGCAN malware
- Lazarus Group’s AppleJeus MacOS malware targeting crypto exchanges
- NK Hackers infect authentic 2FA apps to infect Mac devices with malware
- LAZARUS APT Using TraderTraitor Malware to Target Blockchain Orgs, Users
- Lazarus hackers use Magecart attack to steal card data from EU, and US sites