Perpetrators behind the March hack of Axie Infinity’s Ronin Bridge pulled off the heist by offering a job to one of the project’s developers, according to new details revealed on Wednesday.
The hackers contacted the individual — a senior developer — on LinkedIn to ask that he apply for a fake job, two sources told The Block. “After what one source described as multiple rounds of interviews, [the] Sky Mavis engineer was offered a job with an extremely generous compensation package.”
Sky Mavis is Axie Infinity’s parent company.
RELATED: North Korea’s State-Backed Lazarus Group Responsible for $100 Million Harmony Hack
The engineer downloaded a PDF containing the “offer,” which allowed the hackers to compromise the company’s systems. “From there, hackers were able to attack and take over four out of nine validators on the Ronin network — leaving them just one validator short of total control.”
Sky Mavis said in an April disclosure that the perpetrators used the Axie DAO (Decentralized Autonomous Organization) to compromise the remaining validator. “The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked. Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator.”
The breach allowed the hackers to abscond with nearly $600 million from the project’s Ronin Bridge. The U.S. Treasury Department said in April that it attributed the hack to the state-backed Lazarus Group, and sanctioned an Ethereum address tied to it.
RELATED: GameFi Players Decline Just 5% in May; DeFi Kingdoms, Axie Infinity Post the Biggest Drops
Fake job offers — and applications — have become an increasingly common tactic among North Korean hackers. Aztec developer Jon Wu described encountering a similar situation in April, but said his interaction was with a fake job applicant.
“I think I just interviewed a North Korean hacker,” Wu wrote at the time, saying the individual ended a cover letter by writing, “The world will see the great result from my hands.”
He added:
Immediately I’m like, this motherf–ker sounds like a Bond villain. I’m picturing a dude whose arm is actually a laser cannon and his eyeball is made of plutonium or some s–t. “The world will see the great result from my hands” ??? Who f–king talks like that?
…
I somehow push all this aside. Crypto’s a weird, fun space full of weird, fun people! Look, maybe Bobby’s just a quirky guy. (Narrator: he was not) I sign into the interview. Hi, this is Jon from Aztec, is this Bobby? “Yes. This is…Bobby Sierra.” From the gun, here’s what I observe:
- His camera’s off
- 5+ people are talking loudly in the background
- Thiccc Korean accent
…
So, Bobby, tell me about yourself. “I uhh, experience blockchain development, production, develop tokens, many successful project, very success, lot experience in blockchain, excellent result. Okay?” …
I decide to dig further. Where are you based, Bobby? “Based?” Where-are-you-located? “Ohh, Hong Kong.” Hong Kong? And where did you work last? “Ohh, Ateke.” And what’s that? “German company. Or French. I don’t know.” It says here you worked for F2pool. Can you tell me about F2pool? “Uhmm, yeahh, can you wait?”
He then proceeds to mute me for a solid 5 minutes. When Bobby comes back, it’s with renewed purpose. “Hi, are you there?” Yes Bobby, I’m here. “I am experience blockchain developer, I want job, new job, I’m very experience, bring value to your company. I want engineer job now. Okay?”
For better or worse, this is where I hang up, a little shaken.
Wu’s account of the exchange was edited for brevity. You can read the full version on Twitter.