How a job offer led to the theft of $625 million from the Axie Infinity game

The Block has released details about the game's hack. You can read the original article here.

At the peak of the development of the blockchain game Axie Infinity, players could fully support themselves by receiving rewards in AXS tokens. At this point, the rewards have diminished, but the user base is still large. Play-to-Earn (P2E) is a popular trend in the crypto industry and has gathered many players and an active community around it. Last November, the game boasted nearly three million daily users. According to Bloomberg, that number is now down to 650 000 per day. The weekly trading volume of in-game NFTs in November 2021 was $214 million; as of early July, it was barely over $559 000.

The Ronin Network is the sidechain underlying Axie Infinity. It is a technology that allows tokens from one blockchain to be used in another, and then be returned to the original blockchain if necessary. On March 23, Ronin lost $625 million due to a hacking attack. The US government later linked the incident to the North Korean hacking group Lazarus, but no details of exactly how the attack was carried out were made public. According to The Block's sources who were directly familiar with the situation, it was one of the developers who was careless and opened a file with camouflaged malware that led to the hack.

Earlier this year, employees at Sky Mavis (developer of Axie Infinity) began receiving fake job offers on LinkedIn. One of them managed to be misled. After several rounds of interviews, he was offered a job with a generous compensation. The cyber criminals sent him a fake offer in the form of a PDF document containing malicious code. The script allowed the malware to infiltrate Ronin Network's internal systems. As a result, the hackers took over four of the nine validators on the network, after which they lacked only one to take complete control of the network.

Validators take an active part in building the blockchain; they validate transactions and mine new blocks of tokens on the network. The Ronin Network security system used nine validators to confirm a transaction, but the system only needs validations from five of them to enter or withdraw funds. Elliptic, an analytics company, also later confirmed that funds could be withdrawn if five of the nine validators approved it.

The hackers gained access to the fifth validator through Axie DAO, a decentralized, autonomous organization created to support the gaming ecosystem. Sky Mavis had previously turned to Axie DAO to deal with a heavy network load. “The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked. Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator,” according to the blog. A month after the hack, Sky Mavis increased the number of validators to eleven and said in a blog post that it was setting a long-term goal to have more than a hundred.

In early April, Sky Mavis raised $150 million in an investment round led by the Binance exchange. The proceeds, along with its own funds, will be used, among other things, to compensate users affected by the exploit. The company returned the funds on June 28. The Ethereum bridge Ronin Network also resumed operations that day after suddenly shutting down during the hack.

Crypto projects lost a total of $2 billion worth of tokens in hacks in 2022, according to The Block Research. For the whole of 2021, the amount stolen, according to the same data, was $760 million. Similarly, such projects as Badger DAO worth $120 million and Beanstalk worth $182 million were hacked using tricks with disguised malware. NFT projects were also not bypassed by hackers. On May 4, attackers hacked into the Discord accounts of Bored Ape Yacht Club (BAYC) administrators and posted phishing links on their behalf in the channel. As a result, NFT holders had 200 ETH (~$360 000 at the time of the attack) worth of assets stolen from them.