A Fake Job Offer Reportedly Led to Axie Infinity's $600M Hack

Lazarus, a hacker group associated with North Korea, is thought to be behind the hack.

Daniel Van Boom Senior Writer
Daniel Van Boom is an award-winning Senior Writer based in Sydney, Australia. Daniel Van Boom covers cryptocurrency, NFTs, culture and global issues. When not writing, Daniel Van Boom practices Brazilian Jiu-Jitsu, reads as much as he can, and speaks about himself in the third person.
Expertise Cryptocurrency, Culture, International News
Daniel Van Boom
2 min read
A screenshot from Axie Infinity.
Sky Mavis

Last August, play-to-earn game Axie Infinity was on top of the world. The Pokemon-inspired game was generating developer Sky Mavis over $15 million in revenue each day, and some players in Southeast Asia were earning enough cryptocurrency to live off.

Fast forward 11 months: The price of Axie NFTs and the game's Smooth Love Potion cryptocurrency have collapsed. There are many reasons why, but one of the most important is a hack that took place in March.

A hacker managed to exploit the Ronin blockchain that Axie Infinity uses to steal $620 million worth of crypto. Sky Mavis previously said it was achieved through a phishing scheme, and the US government said Lazarus, a North Korea-backed outfit, was behind the heist. 

A report from The Block on Wednesday revealed that the hack was socially engineered via a fake job offer.

A senior Sky Mavis engineer was targeted by "recruiters" on LinkedIn who hoped to sign him to their company, reports The Block, citing sources familiar with the matter. The recruiting process involved several interviews and ended with a job offer, sent via PDF. The company, however, didn't exist, and the PDF was laced with spyware. 

Ronin is a Proof-of-Authority blockchain, which means control over the network is given to hand-picked validators. At the time of the hack, Axie Infinity had nine validators. For a bad actor to take control of Ronin, they needed to take control of five of those nine validators. For a bad actor to take complete control of the bitcoin blockchain, which uses Proof-of-Work, they would need 51% of the electricity being utilized by every bitcoin miner in the world. While bitcoin is designed to be secure at all costs, Ronin's sole purpose was to provide cheap, quick transactions for Axie Infinity players. 

A screenshot of Axie Infinity's marketplace.

Axie Infinity sees players battle and breed Axie monsters, which are owned as NFTs. At its peak, bottom-tier Axies were selling for over $300 each. They now fetch far less -- with Axies often selling for under $10. 

Sky Mavis

The spyware encased in that PDF, reports The Block, allowed the hacker to control four of Ronin's nine validators. Hackers then got access to community-run Axie DAO, which had access to one more validator. Once they controlled the network, hackers drained Axie Infinity's treasury of $25 million in the USDC stablecoin and 173,600 ether. After ether's dramatic price drop, the total steal is now worth $229 million.

Sky Mavis was contacted for comment but didn't immediately respond. In an April post-mortem, the Axie team wrote: "Sky Mavis employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised. This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes."

Since the hack, Sky Mavis has attempted to make amends with Axie Players. Following a $150 million funding round in April, Sky Mavis is reimbursing players who lost crypto in the hack. To boost up security, Ronin now has 11 validators rather than nine.