Phishing Scam Reportedly Behind $540 Million Axie Infinity Hack

Image: Sky Mavis

Clone Pokemon NFT Axie Infinity I went from famous for gamers profiting from his “play-to-bearn” gambling scam to infamous for being hacked out of $540 million worth of cryptocurrency. Now according to a new report from The Block we know what made the security breach possible: a sophisticated socially engineered phishing attempt on LinkedIn that looks like a deleted episode of Mister Robot.

For those unfamiliar with the Axie claw, developer Sky Mavis has developed an Ethereum-linked sidechain called the Ronin Network grafted onto a game about battling and breeding cute monsters called Axie Infinity. Borrowing mechanics from Pokémon, Neopets, and Hearthstone, players were invited to earn Ethereum-based cryptocurrencies in-game by grinding, and for a time it generated a huge profit as new players poured in their time and their money in the platform. Earlier this year, the company hit all kinds of snagsfrom sluggish growth to monetary inflation and, above all, one of the greatest crypto hacks of all time.

Sky developer Mavis revealed in April that the security breach was made possible by an employee who was “compromised” by an “advanced spear phisher attack.” “The attacker managed to leverage this access to break into Sky Mavis’ IT infrastructure and gain access to validator nodes,” the company said. written at the time.

The block now paysbased on two sources with direct knowledge of the incident, that the employee in question was a senior engineer on Axie Infinity and that the means of infiltrating their computer was a job offer that was too good to be true.

According to The Block, fraudsters representing a bogus company approached the engineer via LinkedIn, encouraged him to apply for a job, held several rounds of interviews, and ultimately made a job offer that included “extremely generous compensation.” “. But the offer was contained in a PDF file.

After the mark downloaded it, spyware was reportedly able to infiltrate the Ronin Network’s systems and grant hackers access to four of the five nodes (out of nine total) they needed to cash out. Access to the fifth was obtained through something called the Axie DAO—a separate organization which Sky Mavis had enlisted to help with the influx of transactions during the height of Axie Infinity’s popularity. Sky Mavis had failed to remove DAO’s access from its systems after its help was no longer needed.

One of the much-heralded appeals of blockchain technology is its ability to make databases public and accessible to all while still keeping them secure. But any locked door, no matter how strong, is only as secure as the person holding the key to it. Here with Axie Infinity, the vulnerability of Sky Mavis’ employees was compounded by careless shortcuts it took to stay on top of the game’s meteoric growth last fall. (Sky Mavis has since increased its total validator nodes to 11, with long-term plans to have over 100.)

Of course, in the meantime the company still needs to pay back everyone who lost money in the hack. In April, it raised an additional $150 million, partly in an effort to replenish its existing player base. That same month, the The FBI has identified the North Korean hackers “Lazarus Group” like the culprits behind the infinity Axie Infinity. The Federal Law Enforcement Agency warned companies against accidentally hiring North Korean hackers as remote computer scientists.