NFT Pokémon clone Axie Infinity went from being famous for players profiting off its “play-to-earn” gaming scam to infamous for getting hacked out of $540 million in cryptocurrency. Now according to a new report by The Block we know what made the security breach possible: a sophisticated phishing attempt socially engineered on LinkedIn that sounds like a deleted episode of Mr. Robot.
For those unfamiliar with the Axie grift, developer Sky Mavis developed an Ethereum-linked sidechain called the Ronin Network and grafted on a game about battling and breeding cute monsters called Axie Infinity. Borrowing mechanics from the likes of Pokémon, Neopets, and Hearthstone, players were invited to earn Ethereum-based cryptocurrencies in-game by grinding, and for a while it was turning a huge profit as fresh players poured their time and money into the platform. Then earlier this year the enterprise hit all sorts of snags, from stagnating growth to currency inflation and, not least of all, one of the biggest crypto hacks of all time.
Developer Sky Mavis revealed back in April that the security breach was made possible by an employee who was “compromised” by an “advanced spear-phishing attack.” “The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes,” the company wrote at the time.
The Block now reports, based on two sources with direct knowledge of the incident, that the employee in question was a senior engineer on Axie Infinity and the means of infiltrating their computer was a job offer that was too good to be true.
According to The Block, fraudsters representing a fake company approached the engineer through LinkedIn, encouraged them to apply for a job, held multiple rounds of interviews, and eventually made a job offer that included an “extremely generous compensation package.” But the offer was contained in a PDF file.
After the mark downloaded it, spyware was reportedly able to infiltrate the Ronin Network’s systems and grant hackers access to four of the five nodes (out of nine total) they needed to cash out. Access to the fifth was obtained through something called the Axie DAO—a separate organization which Sky Mavis had enlisted to help with the influx of transactions during the height of Axie Infinity’s popularity. Sky Mavis had failed to remove DAO’s access from its systems after its help was no longer needed.
One of the much-heralded appeals of blockchain technology is its ability to make databases public and accessible to all while still keeping them secure. But any locked door, no matter how strong, is only as secure as the person holding the key to it. Here with Axie Infinity, the vulnerability of Sky Mavis’ employees was compounded by careless shortcuts it took to stay on top of the game’s meteoric growth last fall. (Sky Mavis has since increased its total validator nodes to 11, with long-term plans to have over 100.)
Of course, in the meantime the company still needs to pay back everyone who lost money in the hack. In April, it raised another $150 million, partly in a bid to make its existing playerbase whole again. That same month, the FBI identified North Korea hackers “Lazarus Group” as the culprits behind the Axie Infinity hit. The federal law enforcement agency also recently warned companies against accidentally hiring North Korean hackers as remote IT specialists.