Fake LinkedIn job offers used to steal $540 million from Axie Infinity

The largest cryptocurrency heist started with a job offer in March

In March this year, $620 million got stolen from Axies Infinity

$540 million hacks of Axie Infinity in late March of this year is the incident involving the former employee getting tricked by the fake job offer. The fraudulent job offer on LinkedIn helped high skilled hackers to trick a senior engineer into applying to a non-existent company.^[1] Previous reports show that the employee was tricked into downloading a fake offer document disguised as a PDF document.^[2] The offer came after a round of interviews, according to The Block report.^[3]

Axie Infinity is a strategy-based online video game that allows users to grow and trade digital pets that are called Axies. This is the game that uses Ethereum- based cryptocurrencies for the in-game economy. The engineer received an offer with a generous compensation package. The particular document with this fraudulent offer acted as the possibility to deploy malware that can help breach the Ronin network. This was the goal of the attack, and it ended as one of the biggest hacks in the cryptocurrency sector to date.

This happened even though employees are constantly advised on advanced spear-phishing attacks and social engineering attack methods. As the company notes that one employee was compromised resides the educational programs:

This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.

Lazarus group – state-backed hackers to blame

Reports state that this hack is the job of the North Korean hacker group Lazarus.^[4] The gang specializes in such types of cyber attacks. It was reported before^[5] that the Lazarus group used fake job offers to infiltrate networks to spread spyware as documents on the targeted company machines. Such bogus job offers have been used by the advanced persistent threat as social engineering lures. These methods were first employed in 2020 when the Israeli cybersecurity firm ClearSky named it Operation Dream Job.

This is not a surprise because the hacker group has been involved in various attacks targeting cryptocurrency exchanges across the globe. Particular North Korean hackers have already stolen $1.4 billion from such companies, and the main hacker group to blame is the infamous Lazarus. This group is suspected to be responsible for the $100 million altcoin theft from harmony Horizon Bridge.

Axie Infinity hack

The employee that took the bait, believing that the offer was a high-paying job offer, opened the PDF file. Besides that, during those interviews and the whole recruiting process for the fake company, the person gave away other personal details to the attackers too. This also helped hackers to steal from the company directly.

Sky Mavis relaunched Ronin's Ethereum bridge in June – a few months after the hack. The attacker had to capture five of nine validators to infiltrate the network of the company. The PDF laced with malware helped the criminals to control 4 of them and access the community-run Axie DAO. This way, attackers got control of the 5th one too.^[6]

At the time of the attack, there were nine validators, Ronin sidechain increased the number to 11 to improve security. As for the Axie Infinity Players who have lost their funds, Sky Mavis is reimbursing all of the users. This company had $150 million in funding back in April 2022.