How cyber criminals stole 600 million USD using LinkedIn, fake job offer and malicious PDF

A senior engineer at Axie Infinity was the entry point for the hack of $625 million worth the Ronin chain after he was lured into a job offer at a bogus company.

Until now the incident had been linked by the United States government to the North Korean hacking group, Lazarus, but not many details had been given about how the hack had been carried out, something that the media can report thanks to two people with direct knowledge of the matter.

A bogus job offer triggered the attack

Earlier in the year, staff at Axie Infinity developer Sky Mavis were approached by a group of people “representing” the bogus company, encouraging them to apply for jobs. through LinkedIn.

After several rounds of interviews, the engineer in question was offered a job with “extremely generous” compensation. The bogus offer was disclosed to him via a PDF document containing spyware, which the engineer downloaded, allowing the virus to infiltrate Ronin’s systems.

After this, the hackers were able to attack and take control of four of the nine Ronin network validators that approve transactions, but they were still one short to make moves. This was detailed by Sky Mavis herself on its blog, noting that at the time the validator threshold was five of the nine available for transactions

However, this requirement meant that in addition to taking control over these four validators, they still needed an additional one, which they eventually obtained from Axie DAO, a group created to support the gaming ecosystem, who had been asked by Sky Mavis to help deal with the heavy transaction load in November 2021.

This meant that Axie DAO was listed as validators allowed to sign transactions on behalf of Sky Mavis, and despite the authorization being suspended in December 2021, access to the list was not revoked, so once they gained access to the company’s systems, they also had access to the additional validator.

Increased security to reduce risk

At the time Sky Mavis noted that  employees were under constant “advanced phishing attacks” on various social channels, and that one of them had been compromised.

They also detailed that the worker no longer worked within the company, and that the attackers had taken advantage of the access to penetrate the Sky Mavis IT infrastructure, gaining access to the validation nodes.

According to The Block, just a month after the attack, the company had increased the number of its validation nodes to 11 and its long-term goal was to have more than 100.

On the other hand, experts  released research stating that Lazarus had been using LinkedIn and WhatsApp, posing as recruiters, and targeting aerospace and defense contractors, although the report does not mention that this method was used at Sky Mavis.