Fake recruitment leads to major hacking incidents in the encryption industry

A senior engineer at Axie Infinity applied for a seemingly attractive job, unaware that it would trigger one of the largest hacker attacks in the encryption industry.

Axie Infinity's dedicated Ethereum sidechain Ronin was hacked in March of this year, resulting in a loss of up to $540 million in encryption. Although the U.S. government later linked the incident to a North Korean hacker group, the specific operational details have not yet been fully disclosed.

It is reported that this incident originated from a false job advertisement.

According to informed sources, earlier this year, a person claiming to represent a certain company contacted employees of Axie Infinity developer Sky Mavis through a professional social networking platform, encouraging them to apply for jobs. After several rounds of interviews, a Sky Mavis engineer received a high-paying job offer.

Subsequently, the engineer received a job offer letter in PDF format. While downloading the document, Hacker software successfully infiltrated the Ronin system. The Hacker then attacked and took control of four out of nine validators on the Ronin network, just one step away from completely dominating the network.

Sky Mavis stated in a blog post released afterward: "Our employees continue to suffer from sophisticated phishing attacks across various channels, and one employee unfortunately fell victim. That employee has since left the company. The attackers leveraged the access they obtained to penetrate the company's IT infrastructure and subsequently took control of the validation nodes."

Validators perform multiple functions in the blockchain, such as creating transaction blocks and updating data. Ronin uses a "Proof of Authority" system for transaction signing, concentrating power in the hands of nine trusted validators.

The blockchain analysis agency explained: "As long as five out of nine validators approve, the funds can be transferred. The attacker successfully obtained the private keys of five validators, which is enough to steal the encryption assets."

After the hacker successfully infiltrated the Ronin system through a fake recruitment, they have taken control of four out of the nine validators and need to control one more to gain complete control.

Sky Mavis revealed in the report that the Hacker ultimately exploited the Axie DAO (an organization supporting the gaming ecosystem) to carry out the attack. Sky Mavis had requested the DAO's assistance in managing the heavy transaction load last November.

"Axie DAO authorized Sky Mavis to sign various transactions on its behalf. This authorization was stopped last December, but the access to the whitelist was not revoked," Sky Mavis explained, "Once the attacker gains access to the Sky Mavis system, they can obtain signatures from Axie DAO validators."

One month after the attack, Sky Mavis increased the number of validation nodes to 11 and stated that the long-term goal is to have more than 100 nodes.

Sky Mavis refused to comment on the specific methods of the hacker.

Sky Mavis secured $150 million in funding at the beginning of April to compensate affected users. The company recently announced that it will start refunding users on June 28. The Ronin Ethereum bridge, which was previously suspended due to a Hacker attack, was also restarted last week.

Security agencies recently released a report revealing that a certain Hacker organization is abusing professional social platforms and instant messaging software to target aerospace and defense contractors. However, the report did not link this method to the Sky Mavis hacking incident.

Security agencies had warned as early as April that a certain Hacker organization was using a series of malicious applications to carry out targeted attacks on the digital currency industry. Their main methods include:

1. Disguise identity on major social media platforms.
2. Connect with blockchain industry developers
3. Establish fake trading websites and post outsourcing recruitment information.
4. Send malware containing trojans after gaining the trust of the developers.

In response to such threats, security experts recommend:

1. Keep a close eye on security intelligence and strengthen self-defense awareness.
2. Perform necessary security checks before running the executable program
3. Establish a zero-trust mechanism to effectively reduce risks.
4. Keep the security software's real-time protection and update the virus database in a timely manner.