Axie Infinity Senior Engineer Becomes Hacker Attack Catalyst

A senior engineer's job-seeking experience at Axie Infinity triggered one of the largest hacker attack events in the crypto industry. This engineer inadvertently applied for a position at a fictitious company, leading to serious security vulnerabilities in Axie Infinity's dedicated Ethereum sidechain, Ronin.

In March of this year, Ronin suffered a Hacker attack, resulting in a loss of up to $540 million in cryptocurrency. Although the U.S. government later linked the incident to the North Korean hacker group Lazarus, the specific details of the attack have not yet been fully disclosed.

It is reported that this incident originated from a fake job advertisement. According to sources, earlier this year, a person claiming to represent a certain company contacted employees of Axie Infinity developer Sky Mavis through a professional social networking platform, encouraging them to apply for jobs. After multiple rounds of interviews, a Sky Mavis engineer secured a high-paying position.

Subsequently, the engineer received a fraudulent job offer in PDF format. After downloading this document, the Hacker software successfully infiltrated Ronin's system. The Hacker then attacked and took over four of the nine validators on the Ronin network, just one short of being able to fully control the entire network.

Sky Mavis stated in the post-mortem report released on April 27: "Our employees continue to face sophisticated phishing attacks across various social channels, and one employee unfortunately fell victim to an intrusion. This employee is no longer with us. The attacker used the acquired access to infiltrate Sky Mavis's IT infrastructure and gained control of the validation nodes."

In blockchain, validators are responsible for creating transaction blocks and updating data oracles among other functions. Ronin uses a "Proof of Authority" system for transaction signing, concentrating power in the hands of nine trusted validators.

Blockchain analysis company Elliptic explained: "As long as five out of nine validators approve, funds can be transferred. The attacker successfully obtained the private keys of five validators, which is enough to steal the crypto assets."

Although the hackers successfully infiltrated the Ronin system through fake job advertisements, they only controlled four out of nine validators and needed one more validator to gain complete control.

Sky Mavis disclosed in the report that the Hacker ultimately used Axie DAO (an organization that supports the gaming ecosystem) to carry out the attack. Sky Mavis had requested the DAO's assistance in handling the heavy transaction load in November 2021.

"Axie DAO allows Sky Mavis to sign various transactions on its behalf. This practice was stopped in December 2021, but the access to the whitelist was not revoked," Sky Mavis explained, "Once the attacker gains access to the Sky Mavis system, they can obtain signatures from the Axie DAO validators."

One month after the hacker attack, Sky Mavis increased the number of its validation nodes to 11 and stated that the long-term goal is to have more than 100 nodes.

Sky Mavis completed a $150 million financing led by a trading platform in early April. This funding will be used along with the company's own funds to compensate users affected by the attack. The company recently announced that it will start refunding users on June 28. The Ronin Ethereum bridge, which was suspended after the hacker attack, also restarted last week.

A recent survey released by the security agency ESET Research shows that North Korea's Lazarus group is abusing professional social platforms and instant messaging software to target aerospace and defense contractors. However, the report does not directly link this technique to the hacker attack suffered by Sky Mavis.

Another security agency issued a security warning in April this year, pointing out that the North Korean APT organization Lazarus Group is targeting the cryptocurrency industry with a series of malicious applications for APT attacks. Their main methods include:

1. Play different roles on major social media platforms
2. Engage in conversations with blockchain industry developers to prepare for subsequent actions.
3. Establish a seemingly normal trading website, using the guise of recruiting outsourced employees.
4. After deceiving developers into trusting them, send phishing attacks containing malware.

In response to this type of threat, security experts have proposed the following preventive measures:

1. Industry practitioners should closely monitor the security intelligence of major threat platforms both domestically and internationally, conduct self-inspections, and maintain a high level of vigilance.
2. Developers must conduct necessary security checks before running the executable program.
3. Establish a zero-trust mechanism to effectively reduce the risks posed by such threats.
4. Users of Mac/Windows with physical machines should keep the real-time protection of security software enabled and update to the latest virus definitions in a timely manner.