Brief
- The Ronin network of Axie Infinity, an Ethereum sidechain, was hacked in March, with $622 million in assets taken at the time of revelation.
- Sky Mavis CEO Trung Nguyen moved $3 million in tokens immediately before the breach was revealed, but charges of insider trading are “baseless and incorrect,” he argues today.
For those new with the Axie swindle, developer Sky Mavis created an Ethereum-linked sidechain called the Ronin Network and grafted on Axie Infinity, a game about battling and reproducing cute monsters.
Borrowing elements from Pokémon, Neopets, and Hearthstone, users were urged to earn Ethereum-based coins in-game through grinding, and the platform was profitable for a while as new players poured their time and money into it. Then, earlier this year, the company ran into a slew of problems, from stagnant growth to currency inflation, not to mention one of the largest crypto attacks in history.
Hackers stole $620 million from Axie Infinity by conducting phony employment interviews.
The breach that cost Axie Infinity $620 million in cryptocurrency began with a phony job offer from North Korean hackers to one of the game’s devs.
The attack occurred in March 2022, and it destroyed Sky Mavis’s then-extremely popular and rapidly developing game.
The FBI was able to trace the assault to the Lazarus and APT38 hackers by April 2022, two organizations that are frequently involved in cryptocurrency heists for the North Korean government.
According to a recent investigation from digital assets news outlet The Block, people with knowledge of the incident stated that threat actors approached Sky Mavis workers via LinkedIn, masquerading as a startup.
Due to the highly substantial pay, one senior engineer at Axie Infinity expressed interest in the false job offer and went through numerous rounds of interviews.
At one point, the engineer received a PDF file with task specifics. The document, however, was the hackers’ entry point into the Ronin systems — the Ethereum-linked sidechain that runs the non-fungible token-based online video game Axie Infinity.
The employee downloaded and opened the file on the company’s computer, kicking off an infection chain that allowed the hackers to breach Ronin’s infrastructure and damage four token validators and one Axie DAO validator.
According to the firm’s post-mortem, the employee who was the target of the spear-phishing attack has subsequently been fired. However, the game is still seeking to restore momentum by introducing investment programs and technical restarts.
The financial loss was so severe that Sky Mavis is still working to reimburse the gamers who were harmed by the breach.
Fake employment offers
North Korean government hackers have been connected to a number of bitcoin attacks over the years.
According to a study published last year by Google’s Threat Analysis Gang, a North Korean hacker group targeted security experts with proprietary malware after approaching them over multiple channels, including LinkedIn.
Members of the Lazarus gang used fraudulent job offers to target workers of bitcoin firms in at least 14 countries in the summer of 2020.
Earlier this year, the US administration warned that the Democratic People’s Republic of Korea (DPRK) is shipping IT personnel to work as freelancers, which might be utilized in state-backed assaults.
A year ago, Cyphere research revealed how simple it was for anybody to make job offers on behalf of a firm on LinkedIn.
The FBI recently issued a warning on the dangers of fraudulent job advertising, noting several frequent symptoms of fraud that internet users should be aware of when they get unsolicited employment offers.
Sky Mavis, a developer, stated in April that the security vulnerability was enabled by an employee who was “compromised” by a “sophisticated spear-phishing assault.” “The attacker used that access to enter Sky Mavis’ IT infrastructure and get access to the validator nodes,” the business noted at the time.
Based on two people with intimate knowledge of the event, The Block now says that the employee in issue was a senior engineer on Axie Infinity, and the means of accessing their computer was a job offer that seemed too good to be true.
According to The Block, fraudsters posing as representatives of a bogus organization reached the engineer over LinkedIn, urged them to apply for a position, conducted many rounds of interviews, and finally presented a job offer that contained a “very substantial remuneration plan.” The offer, however, was included in a PDF file.
After the target downloaded it, the malware apparently infiltrated the Ronin Network’s computers, granting hackers access to four of the five nodes (out of a total of nine) required to pay out. The fifth was secured through the Axie DAO, a separate entity that Sky Mavis had enlisted to assist with the surge of transactions during the peak of Axie Infinity’s popularity. Sky Mavis had neglected to revoke DAO’s access from its systems after its assistance was no longer required.
One of the many touted benefits of blockchain technology is its capacity to make databases public and available to all while remaining safe. However, no matter how robust a secured door is, it is only as secure as the person who has the key to it. The vulnerability of Sky Mavis’ staff here with Axie Infinity was exacerbated by irresponsible shortcuts taken to keep up with the game’s spectacular expansion last autumn. (Sky Mavis has subsequently expanded the number of validator nodes to 11, with long-term intentions to have more over 100.)
Of course, in the interim, the corporation must compensate everyone who lost money as a result of the hack. It collected another $150 million in April, largely to replenish its existing player base. That same month, the FBI named North Korean hackers “Lazarus Group” as the perpetrators of the Axie Infinity attack. In addition, the federal law enforcement agency recently advised businesses against inadvertently hiring North Korean hackers as remote IT consultants.
A rare nation-state danger
North Korea is a tiny, isolated country with a population of about 25 million people. Despite its small size, the country’s massive military and cybersecurity spending have elevated it to one of the US’ “big four” nation-state enemies, with Russia, Iran, and China.
Last year, CrowdStrike senior vice president of intelligence Adam Meyers told SearchSecurity that the primary purpose of nation-state action is to acquire information. However, while Iranian state hackers have carried out ransomware attacks and cryptocurrency mining, and Russia is known to use private ransomware gangs in some capacity, North Korea is the only significant opponent that includes financial cybercrime as a key aim in its offensive efforts.
APT38, as previously noted, is a financially motivated actor that has been monitored by academics since at least 2014. The organization was responsible for the 2018 SWIFT financial transaction system hacks, which resulted in the theft of $100 million, as well as several additional attacks.
Meanwhile, the Lazarus Group was responsible for the WannaCry assaults in mid-2017. Both are part of the DPRK’s Reconnaissance General Bureau, which is in charge of the country’s clandestine military and intelligence activities.
North Korea is an “exceptional instance,” according to Ari Redbord, head of legal and government affairs at blockchain fraud intelligence provider TRM Labs.
“This is a little, tiny nation with no economy and is not a player on the global arena at all in terms of economics,” he remarked. “But they were the first to discover that by forming a cybercriminal organization, they could compete on a digital battlefield with some of the world’s superpowers. That, I believe, has the potential to be highly unstable for the geopolitical sphere, as well as extremely hazardous.”
According to the experts SearchSecurity talked with, North Korea has a sophisticated offensive cyberoperation.
According to Aaron Arnold, a senior associate fellow at the Royal United Services Institute, the country uses zero-day exploits to breach large-scale targets such as big banks and the aforementioned Sony Pictures, as well as sophisticated intelligence-gathering operations aimed at South Korea.
“North Korea is frequently characterized as an uneducated backwater, and I believe it portrays the false impression,” he added. “I believe the ultimate truth is that North Korea is a highly skilled cyber operator with very good tools and skills.”
Attacks against cryptocurrency platforms
Platforms at the heart of recent significant cryptocurrency heists come in a variety of shapes and sizes; in addition to games like Axie Infinity, investment services and cryptocurrency exchanges are popular targets for thieves. Major bitcoin platform hacks have been a recurring pattern in the last two years, independent of North Korea.
In December, BitMart reported a bitcoin loss totaling about $150 million in assets, done mostly via the use of a stolen private key. In February, threat actors stole 120,000 wrapped Ethereum (valued at roughly $300 million at the time) from blockchain bridge Wormhole.
In North Korea, the Lazarus Group was blamed for a $275 million attack on the cryptocurrency exchange KuCoin in 2020; Chainalysis estimated that this one operation accounted for more than half of all bitcoin stolen that year. Liquid, a Japanese exchange, was also attacked by North Korean-linked hackers, resulting in a loss of around $97 million in bitcoin.
Hot market, shoddy security
Sky Mavis wrote a Substack article shortly after the Axie Infinity assault happened in late March, outlining everything known about the hack up to that moment. According to the creators, the Sky Mavis Ronin sidechain required nine validator nodes at the time to recognize a withdrawal.
Because of compromised private keys and a backdoor utilized for a fifth node owned by Axie Infinity’s decentralized autonomous organization, the attacker was able to seize control of five nodes (DAO). According to the firm, this was not meant to be feasible.
“This dates back to November 2021, when Sky Mavis sought assistance from the Axie DAO to issue free transactions owing to a heavy user load,” according to the Substack report. “Sky Mavis was authorized by the Axie DAO to sign numerous transactions on its behalf. This was phased off in December 2021, although allowlist access was not removed.”
Because of compromised private keys and a backdoor utilized for a fifth node owned by Axie Infinity’s decentralized autonomous organization, the attacker was able to seize control of five nodes (DAO). According to the firm, this was not meant to be feasible.
“This dates back to November 2021, when Sky Mavis sought assistance from the Axie DAO to issue free transactions owing to a heavy user load,” according to the Substack report. “Sky Mavis was authorized by the Axie DAO to sign numerous transactions on its behalf. This was phased off in December 2021, although allowlist access was not removed.”
On April 27, Sky Mavis issued a post-mortem that revealed how the assault transpired, how the vulnerabilities were handled, and previously unmentioned observations. Sky Mavis, for example, “didn’t have a suitable tracking system for monitoring significant outflows from the bridge, which is why the break wasn’t noticed quickly.”
Additional validator nodes were added to solve the weakness that permitted the attack, and Sky Mavis added a security plan to the post that includes audits, even more, validator nodes, a zero-trust security paradigm, and more.
Some platform attacks arise as a result of factors such as stolen private keys and vulnerabilities being exploited. Many bitcoin owners have also lost hundreds of thousands of dollars or more in assets as a result of simple social engineering assaults such as phishing.
In the last five years, a number of cryptocurrency-focused firms, such as Axie Infinity, have rapidly developed to the point where they handle millions, if not billions, of dollars in transactions.
According to Chainalysis’ Plante, this significant expansion might have a detrimental influence on security outcomes, and he specifically mentioned DeFi systems.
“There is a lack of security surrounding developing DeFi technologies,” she explained. “In the first three months of this year, hackers stole $1.3 billion from exchanges, platforms, and private companies — with DeFi bearing a disproportionate share of the blame.”
One recent example was the attack on Beanstalk Farms, which completely depleted the DeFi platform’s liquidity. The attacker used the platform’s own governance system to introduce malicious code into the protocol, allowing them to withdraw all accessible cash. The Beanstalk incident demonstrated how some DeFi firms entered the market with dubious security postures and a slew of threat actors seeking to commit heists.
“Nearly 97% of the bitcoin stolen in the first three months of 2022 came via DeFi protocols, up from 72% in 2021 and 30% in 2020,” Plante stated. “However, for DeFi protocols in particular, the greatest thefts are frequently the result of poor programming. Outside of the Ronin assault, code exploits and flash loan attacks (a form of code vulnerability involving the manipulation of cryptocurrency values) have accounted for the majority of the value taken.”
Plante suggested that DeFi systems consider code audits, decentralized oracle providers, and a strict platform security strategy. On a more basic level, teaching consumers to be on the lookout for social engineering techniques such as phishing campaigns may help a lot.
