A fake job offer via LinkedIn allowed to steal $540M from Axie Infinity

Threat actors used a fake job offer on LinkedIn to target an employee at Axie Infinity that resulted in the theft of $540 Million.

In March, threat actors stole almost $625 million in Ethereum and USDC (a U.S. dollar pegged stablecoin) tokens from Axie Infinity’s Ronin network bridge. The attack took place on March 23rd, but the cyber heist was discovered after a user was unable to withdraw 5,000 ether.

The Ronin Network is an Ethereum-linked sidechain used for the blockchain game Axie Infinity.

The attackers have stolen roughly 173,600 ether and 25.5 million USDC. The Ronin bridge and Katana Dex have been halted following the attack.

Axie Infinity disclosed the security breach through the official Discord and Twitter accounts, and by Ronin Network.

Now a report from The Block citing two people familiar with the matter revealed that threat actors targeted a senior engineer at the company with a fake job offer via LinkedIn.

“According to two people with direct knowledge of the matter, who were granted anonymity due to the sensitive nature of the incident, a senior engineer at Axie Infinity was duped into applying for a job at a company that, in reality, did not exist.” reads the report published by The Block. “Earlier this year, staff at Axie Infinity developer Sky Mavis were approached by people purporting to represent the fake company and encouraged to apply for jobs, according to the people familiar with the matter. One source added that the approaches were made through the professional networking site LinkedIn.”

The attackers offered a job with an extremely generous compensation package to a Sky Mavis engineer.

A PDF containing the offer was sent to the employee, once opened the file a spyware compromised his system and infiltrate the Ronin’s network. Once inside the company infrastructure, the threat actors were able to take over four out of nine validators on the Ronin network.

“Employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised. This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.” reads a post-mortem analysis published by Sky Mavis.

In April, the U.S. government blamed North Korea-linked APT Lazarus for the Ronin Validator cyber heist.

The U.S. Treasury announced in a notice the sanctions against the Ethereum address used by the North Korea-linked APT to receive the stolen funds. US organizations are forbidden to conduct any transactions with the above address.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Zyxel)

[adrotate banner=”5″]

[adrotate banner=”13″]