Fake Job Advertisements Trigger Major Hacker Incident in the Encryption Industry

A senior engineer at Axie Infinity had a very unusual job application experience, which led to one of the most severe hacker attacks in the crypto industry to date.

In March of this year, Axie Infinity's dedicated Ethereum sidechain Ronin was hacked, resulting in a loss of up to $540 million in encryption. Although the U.S. government later linked this incident to a certain country's hacker organization, specific details of the attack have not yet been fully disclosed.

According to reports, this incident is closely related to a false job advertisement.

According to sources, earlier this year, a person claiming to represent a certain company contacted employees of Axie Infinity developer Sky Mavis through a professional social networking platform and encouraged them to apply for jobs. After multiple rounds of interviews, a Sky Mavis engineer received a high-paying job offer.

Subsequently, the engineer received a forged admission notice in PDF format. After downloading the document, the Hacker software successfully infiltrated Ronin's system. The Hacker immediately attacked and took control of four out of the nine validators on the Ronin network, just one step away from completely dominating the entire network.

Sky Mavis stated in a subsequent announcement: "Our employees continue to suffer from advanced phishing attacks across various social channels, and one employee was unfortunately compromised. The attackers used this access to penetrate the company's IT infrastructure and gained access to the validation nodes. The employee is no longer with the company."

Validators play a crucial role in the blockchain by creating transaction blocks and updating data oracles. Ronin uses a "Proof of Authority" system to sign transactions, concentrating power in the hands of nine trusted validators.

The blockchain analysis agency explained: "As long as five out of the nine validators approve, the funds can be transferred. The attacker successfully obtained the private keys of five validators, which is enough to steal the encryption assets."

However, after the hacker successfully infiltrated the Ronin system through a fake job advertisement, they only controlled four out of nine validators and needed one more validator to fully control the network.

Sky Mavis revealed in the report that the Hacker ultimately exploited Axie DAO (an organization supporting the gaming ecosystem) to carry out the attack. Sky Mavis had requested the DAO's assistance in handling the heavy transaction load in November 2021.

"Axie DAO had authorized Sky Mavis to sign various transactions on its behalf. Although this authorization was terminated in December 2021, access to the whitelist was not revoked," Sky Mavis explained. "Once the attacker gained access to the Sky Mavis system, they could obtain signatures from the Axie DAO validators."

One month after the hacking incident, Sky Mavis increased the number of verification nodes to 11 and stated that the long-term goal is to have over 100 nodes.

Sky Mavis secured $150 million in funding in early April to compensate users affected by the attack. The company recently announced that it will begin refunding users on June 28. The Ronin Ethereum bridge, which was suspended after the hacker attack, was also restarted last week.

Security experts remind that similar social engineering attack methods have also been used against other industries. To prevent such threats, it is recommended:

1. Stay closely informed about security intelligence, conduct self-inspections, and remain vigilant.
2. Perform necessary security checks before running the executable.
3. Implement a zero-trust mechanism to effectively reduce risks.
4. Keep the real-time protection of security software enabled and update the virus database in a timely manner.