Posted on July 11, 2022 at 8:06 PM
In March this year, Axie Infinity was the victim of the largest crypto heists against a decentralized finance network. A recent report has revealed that threat actors used a fake LinkedIn job offer to steal $625 million from the platform.
A month later, the US issued an advisory, warning that the sophisticated hackers from North Korea are posing as IT freelancers to try and get employed.
It has now been revealed that the threat actors, who were led by the North Korean government-backed Lazarus group, used social engineering tactics to gain access. They infiltrated the Sky Mavis’ network by sending a PDF file with spyware to one of the firm’s employees.
The involvement of Lazarus in such a high-profile attack won’t be a surprise to many considering the group’s history and its sophistication.
Earlier in January this year, researchers from various crypto security firms reported that North Korean hackers have stolen $1.3 billion across different crypto exchanges in the world. The security researchers pointed at the Lazarus gang as the major suspect in the attack.
An Axie Infinity Employee Took The Bait
The report on the Axie hack shows that an ex-engineer at the company was used as bait by the threat actors. The employee thought that the job offer was a high-paying one from another major company. Although he didn’t do much to aid the hackers, merely opening the malware-infected PDF file was enough. But he went as far as providing more personal information which aided the threat actors. Additionally, the company used as the prospective employer did not even exist.
During the recruiting process, the ex-employee released vital personal details which the threat actors used to steal funds from the company.
According to Sky Mavis, its workers are constantly reporting threats on various social media channels by “advanced spear-phishing attacks.” But it was unfortunate that one employee, who no longer works for the company, became the bait for the attackers.
The Attackers Captured Five Validators
The Lazarus hackers are notorious for going after high-value targets with millions of revenues reported monthly. It is not surprising that the group went all-out against Axie Infinity. The play-to-earn game is a Pokemon-inspired game that earns nearly $15 million in revenue daily. The game, developed by Sky Mavis, records over a million players daily.
At the time of the attack, Axie Infinity had nine validators from its proof-of-authority, an Ethereum-based sidechain Ronin. The threat actor leveraged the access to infiltrate the infrastructure of Sky Mavis IT and accessed the validator nodes.
The attacker captured five of the nine validators to plant malware in the firm’s networks. The attackers were able to control 4 of the validators through the spyware-laced PDF, allowing them to access the community-run Axie (Decentralized Autonomous Organization) DAO. From there, they got hold of the fifth validator.
The Hackers Stole ETH And USDC From The Platform
After the hackers have infiltrated the platform, they stole 173,600 Ether (about $597 million at the time) and $25 million worth of USDC stablecoin, collectively stealing crypto worth about $625 million.
To improve security, the Ronin sidechain increased the number of validators to 11. On the other hand, Sky Mavis raised $150 million in a funding round to reimburse the players that lost funds due to the hack.
The US government has claimed that the infamous Lazarus hacking syndicate is responsible for the attack. This comes after a series of investigations and several other links to the group’s attack techniques in the past. Other researchers have also noted that the phishing attack pattern is synonymous with threat actors with a lot of resources and tools.
US Government Linked The Attack To Lazarus Group
It will not be the first time the Lazarus group has targeted the blockchain and crypto industry. But social media engineering attack is not the pattern the group has been known for. It is rare to see an attack carried out by a group using a particular phishing method.
The only other time such an attacking technique was linked to the group was in June 2020. Then, security researchers from internet security company ESET warned that the Lazarus group is using sophisticated recruiter scams to target LinkedIn users looking for jobs. The warning noted that the hackers are specifically targeting workers or those looking to work in military firms.