Phishing attack delivered via fake job contract loses crypto company $800M
Sky Mavis, the developer of Axie Infinity, lost $550M USD in crypto assets thanks to one of their employees clicking on a PDF they believed was a new job contract – but was filled with spyware.
Axie Infinity, one of the poster children for NFT play-to-earn gaming, lost millions of dollars in cryptocurrency earlier this year thanks to a hack. Now, the reasons behind it have come to light – an employee, believing to be applying and accepting a new, lucrative contract at a new employer, accidentally downloaded spyware hidden in a PDF.
As reported by The Block, the attack took place in March, getting away with around $540M USD (~$800M AUD) worth of crypto – Ethereum, which Axie Infinity’s economy runs on. The value of that Ethereum has since cratered thanks to the latest crypto-crash, but it’s still a ludicrously massive amount of money to be taken in a single hack.
It was done by hackers, identified by the US government to be part of a North Korean cell called Lazarus, taking control of a majority of the nodes that control the flow of cryptocurrency for the business. If five of the nine say a transaction is okay, it can go ahead. Lazarus, to simplify a bit, told them to send all the money their way.
They got access through a single employee, whose machine had the codes necessary to infiltrate four of the five nodes of Ronin, the ‘sidechain’ that Axie Infinity is built on. To do so, they approached the unnamed employee via LinkedIn, offering an extremely lucrative-looking job at a company that, naturally, didn’t actually exist.
After a round of fake interviews and other social manipulation, they eventually sent this employee a PDF, which the person believed contained their new contract. In fact, it was full of malicious code that installed spyware on their machine and gave control to the attackers. The employee, based on blog posts released by Axie Infinity developer Sky Mavis, no longer works for the company. Lazarus used similar methods to target aerospace and defence contractors.
With those four nodes compromised, the attackers got access to a fifth through a Decentralised Autonomous Organisation that was set up to deal with massively increased demand in November 2021 and whose access was never revoked. Five nodes compromised and goodbye all that money.
Axie Infinity was once seen as one of crypto’s success stories, though poor press from the now-famous Line Goes Up YouTube essay and the general crash of the value of crypto and related assets like NFTs hit it pretty hard. Sky Mavis has since used a funding round to restabilise, though they seem a far cry from their peak.
Elsewhere in crypto, Bitcoin and Ethereum have both recovered from the massive crashes seen in June, though are still at a third of their peak values in late 2021. While no longer in free fall, both have proven to be even more volatile that initially believed.
Written by GLHF.
Donkey Kong champ’s $450k fight to clear name
A famous arcade gamer is suing an Australian content creator after claiming his reputation was damaged in a video uploaded to YouTube.
Donkey Kong champ’s ‘joke’ reputation: court
An American arcade gamer suing for defamation has been accused of having an “untrustworthy” reputation in the gaming community.
YouTuber’s emotional reaction in defo suit
An Australian YouTuber fighting a defamation claim brought against him by an American gamer fought through tears after giving evidence for nearly two days at court.