The world's largest crypto heist started with a fake job offer

In March this year, $620 million worth of cryptocurrency was stolen from the online game Axie Infinity. While investigative agencies have not fully revealed how this was done, it appears that it all began with a fake job offer.

Developed by Vietnamese studio Sky Mavis, Axie Infinity is a strategy-based online video game that allows users to grow and trade digital pets called Axies. The game uses Ethereum-based cryptocurrencies in its in-game economy. At its peak, it boasted 2.7 million daily active users and $214 million in weekly trading volume, The Block reported. 

In March, hackers gained access to the Ronin blockchain that Axie Infinity used for its cryptocurrency transactions and made away with 173,600 units of ether and 25.5 million of USDC, a stablecoin. Based on the then-market valuation of the cryptocurrency, the heist amount was estimated to be $620 million, the largest ever in the world. 

It all started with a fake job offer

According to The Block's report, staff at Sky Mavis were approached over Linkedin and encouraged to apply for jobs. Applicants went through multiple interviews, except the people doing this represented companies that did not exist. 

Finally, a senior Mavis engineer was offered a job with an extremely generous compensation package and a PDF copy of the offer letter was sent to the employee, who downloaded it. Unknown to the employee at the time, the PDF document also contained spyware that allowed the hackers to infiltrate Ronin's systems and gain control of four validators on the Ronin network, something the company referred to in a post-mortem report of the incident. 

Ronin uses a 'proof-of-authority' system to validate the transactions on the network. Before the attack, nine validators could sign off transactions to be added to the blockchain. The spyware attack allowed the hackers to gain control of four such validators, but it needed one more to execute the heist. 

That came from the oversight of the Axie Infinity management itself, which had sought help from Axie DAO (decentralized autonomous organization) - to tide over the heavy transaction load in November 2021. This DAO served as an additional validator on the network for a month, but its access was not revoked. As the hackers gained access to Sky Mavis' systems, they gained access to the DAO validator and used its authority to carry out the heist. 

Who did it? 

Investigations by the U.S. government agencies have linked the heist to the North Korea-backed Lazarus Group. The Block also reported that an investigation by an internet security company had found that the Lazarus group was also using Whatsapp and Linkedin to pose as recruiters and target aerospace and defense contractors. 

Earlier this year, a report submitted to the United Nations revealed that North Korea was using stolen crypto to fund its weapon development program. To do so, it would need to involve other crypto market players who would allow the stolen crypto to be transferred obscurely over the internet. 

In May, the U.S. Treasury sanctioned Blender.io, a virtual currency mixer platform that was allegedly involved in obscuring over $20.5 million of cryptocurrency that was stolen from Axie Infinity, Business Insider said in its report.