Axie Infinity engineers fall victim to false recruitment leading to a large-scale Hacker attack

A senior engineer from Axie Infinity applied for a seemingly attractive job opportunity, only to unexpectedly become the catalyst for one of the largest hacker attacks in the crypto industry. This incident resulted in a loss of $540 million in cryptocurrency on Axie Infinity's dedicated Ethereum sidechain, Ronin.

According to reports, earlier this year, a person claiming to represent a certain company contacted employees of Axie Infinity developer Sky Mavis through a professional social networking platform, encouraging them to apply for a job. After several rounds of interviews, a Sky Mavis engineer received a generous job offer. However, this offer, presented in PDF format, was actually a carefully designed trap. After the engineer downloaded the document, hacker software successfully infiltrated the Ronin system.

The hacker subsequently attacked and took control of four out of the nine validators on the Ronin network. Sky Mavis stated in a follow-up statement that company employees continued to suffer from advanced phishing attacks across various social channels, and one employee unfortunately fell victim. The attacker leveraged the acquired access to infiltrate Sky Mavis's IT infrastructure, thereby gaining control over the validation nodes.

Ronin adopts a "Proof of Authority" system for transaction signing, centralizing power in the hands of nine trusted validators. Blockchain analysis firm Elliptic explains that as long as five out of the nine validators approve, funds can be transferred. The attacker successfully obtained the private keys of five validators, allowing them to steal the crypto assets.

After successfully infiltrating the Ronin system through fake recruitment ads, the Hacker has taken control of four validators and needs one more validator to complete the attack. Sky Mavis disclosed that the Hacker leveraged the Axie DAO (an organization supporting the gaming ecosystem) to carry out the attack. Sky Mavis had requested assistance from the DAO in November 2021 to handle the heavy transaction load, but did not revoke the whitelist access after it stopped in December 2021. Once the attacker gains access to the Sky Mavis system, they can obtain signatures from the Axie DAO validators.

A month after the hacker attack, Sky Mavis increased the number of its validation nodes to 11 and stated that the long-term goal is to have over 100 nodes. The company also raised $150 million in financing led by a trading platform to compensate users affected by the attack. Sky Mavis recently announced that it will start refunding users on June 28. The Ethereum bridge for Ronin suddenly stopped after the hacker attack and was restarted last week.

Security agencies issued warnings as early as April this year, indicating that a national-level Hacker organization is conducting targeted attacks on the digital currency industry through social media. They impersonate different roles on social platforms to connect with blockchain industry developers, and even create fake trading websites to recruit outsourced employees, thereby deceiving developers into trusting them and subsequently sending malware for phishing attacks.

To prevent similar attacks, security experts recommend:

1. Industry professionals should closely monitor the security intelligence of domestic and international threat platforms and conduct self-assessments.
2. Developers should conduct necessary security checks before running the executable program.
3. Establish a zero-trust mechanism to effectively reduce the risks posed by such threats.
4. Mac/Windows users should keep the real-time protection of their security software enabled and update the virus database in a timely manner.