The blockchain of high-profile crypto games Axie Infinity was reportedly hacked using an elaborate phishing scheme involving fake LinkedIn job postings. The block reported the news today, citing two sources with knowledge of the incident. It revealed a new dimension to one of the largest decentralized financial or DeFi hacks to date.
According to The blockhackers – identified by the US government as the North Korean group Lazarus – targeted employees of Axie Infinity developer Sky Mavis. They reportedly contacted through LinkedIn on behalf of a bogus company, and when employees took the bait, they proceeded with multiple rounds of fake interviews and then an “extremely generous” bogus compensation package. It culminated in a senior engineer clicking on a PDF that supposedly contained the official offer — at which point hackers compromised first the engineer’s computer and then four of the nine nodes used to conduct financial transactions on Sky’s Ronin blockchain. Mavis to validate.
Sky Mavis previously announced that the hackers took control of a fifth node from the theoretically decentralized one axie DAO, thanks to a decision to allow Sky Mavis to sign transactions during a particularly busy period in November. Then they drained the Ethereum and USDC cryptocurrency that backed Sky Mavis’ treasury, the equivalent of about $625 million at the time. (After a recent crypto crash, it’s now closer to $225 million.) The company noticed the hack a week after it happened in March. In its earlier post-mortem, it blamed “advanced spear-phishing attacks” that endangered an employee who no longer worked at Sky Mavis, but did not explain the exact mechanism of the hack.
Axie Infinity was once seen as an example of the success of play to earn games, among some players full time life of its real money economy. But the value of its tokens plummeted amid the larger crypto crash, and Sky Mavis has spent the past few months recovering from the breach. It raised $150 million in funding to help pay back players and reopened trades on its Ronin bridge last week. (Disclosure: Earlier this year, I purchased three Ineffective Tokens or NFTs to play and report on the game.) It also implemented additional security measures to prevent future hacks. Meanwhile, a second game has been launched called Axie Infinity Origins and tried to turn away of being known as an attempt to make money rather than a game played for fun.