The blockchain of high-profile crypto game Axie Infinity was reportedly hacked with an elaborate phishing scheme involving fake LinkedIn job offers. The Block reported the news today, citing two sources with knowledge of the incident. It revealed a new dimension to one of the biggest decentralized finance, or DeFi, hacks to date.
According to The Block, hackers — identified by the US government as North Korean group Lazarus — targeted employees of Axie Infinity developer Sky Mavis. They reportedly reached out over LinkedIn on behalf of a fake company, and when employees took the bait, they proceeded with multiple rounds of fake job interviews and then an “extremely generous” fake compensation package. The con culminated in one senior engineer clicking a PDF supposedly containing the official offer — at which point hackers first compromised the engineer’s computer, then four of the nine nodes used to validate financial transactions on Sky Mavis’ Ronin blockchain.
A malicious PDF let hackers compromise the entire financial system
Sky Mavis disclosed previously that the hackers took control of a fifth node from the theoretically decentralized Axie DAO, thanks to a decision to let Sky Mavis sign transactions during a particularly busy period in November. After that, they drained the Ethereum and USDC cryptocurrency that backed Sky Mavis’ treasury, the equivalent of about $625 million at the time. (Following a recent crypto crash, it’s closer to $225 million now.) The company noticed the hack a week after it occurred in March. In its earlier post-mortem, it blamed “advanced spear-phishing attacks” that compromised an employee who no longer worked at Sky Mavis — but it didn’t explain the exact mechanism of the hack.
Axie Infinity was once seen as an example of the success of “play to earn” games, with some players making a full-time living off its real-money economy. But the value of its tokens plummeted amid the larger crypto crash, and Sky Mavis has spent the past months recovering from the breach. It raised $150 million in funding to help reimburse players and reopened transactions on its Ronin bridge last week. (Disclosure: I purchased three axie non-fungible tokens or NFTs to play and report on the game earlier this year.) It also implemented additional security measures to prevent future hacks. Meanwhile, it’s launched a second game called Axie Infinity Origins and attempted to pivot away from being known as a money-making endeavor rather than a game that’s played for fun.