Hackers Stole $620 million from Axie Infinity via Fake Job Interviews

The hack that caused Axie Infinity losses of $620 million in crypto started with a fake job offer from North Korean hackers to one of the game’s developers.

The attack happened in March 2022 and pushed into the ground the then massively popular and quickly-growing game from Sky Mavis.

By April 2022, the FBI was able to link the attack to the Lazarus and APT38 hackers, two groups who are often involved in cryptocurrency heists for the North Korean government.

In a recent report from news publication on digital assets The Block, sources with knowledge about the attack said that the threat actors contacted staff at Sky Mavis over LinkedIn, posing as a company looking to hire them.

Also Read: Ways to protect HR data and avoid penalties for data breaches

One senior engineer at Axie Infinity showed interest in the fake job offer, due to the very generous salary, and went through multiple rounds of interviews.

At one point, the engineer received a PDF file with details about the job. However, the document was the hackers’ way into the Ronin systems – the Ethereum-linked sidechain that supports the Axie Infinity non-fungible token-based online video game.

The employee downloaded and opened the file on the company’s computer, initiating an infection chain that enabled the hackers to penetrate Ronin’s systems and corrupt four token validators and one Axie DAO validator.

According to the firm’s post-mortem, the employee who fell victim to the spear-phishing attack has since been removed from its workforce. However, the game is still launching investment initiatives and technical restarts trying to regain its momentum.

The financial damage was so fundamental that Sky Mavis is still in the process of reimbursing the players who were affected by the hack.

Fake job offers

North Korean hackers working for the government have been linked to multiple cryptocurrency hacks over the years.

Last year, a report from Google’s Theat Analysis Group noted that a North Korean hacker group targeted security researchers with custom malware after approaching them over various platforms, including LinkedIn.

In the summer of 2020, members of the Lazarus group targeted employees of cryptocurrency organizations in at least 14 countries using fake job offers.

Earlier this year, the U.S. government warned that the Democratic People’s Republic of Korea (DPRK) is dispatching IT workers to get freelance jobs that could sometimes be used in state-backed attacks.

Research from Cyphere released a year ago showed how easy it was for anyone to post job offers on behalf of a company’s on LinkedIn.

The FBI has recently warned about the perils of fake job postings, highlighting some common signs of fraud that internet users should keep in mind when receiving unsolicited job offers.