How a Fake Job Offer Took Down the World's Most Popular Crypto Game

An anonymous reader quotes a report from The Block: Ronin, the Ethereum-linked sidechain that underpins play-to-earn game Axie Infinity, lost $540 million in crypto to an exploit in March. While the US government later tied the incident to North Korean hacking group Lazarus, full details of how the exploit was carried out have not been disclosed. The Block can now reveal that a fake job ad was Ronin's undoing. According to two people with direct knowledge of the matter, who were granted anonymity due to the sensitive nature of the incident, a senior engineer at Axie Infinity was duped into applying for a job at a company that, in reality, did not exist.

Earlier this year, staff at Axie Infinity developer Sky Mavis were approached by people purporting to represent the fake company and encouraged to apply for jobs, according to the people familiar with the matter. One source added that the approaches were made through the professional networking site LinkedIn. After what one source described as multiple rounds of interviews, a Sky Mavis engineer was offered a job with an extremely generous compensation package. The fake "offer" was delivered in the form of a PDF document, which the engineer downloaded -- allowing spyware to infiltrate Ronin's systems. From there, hackers were able to attack and take over four out of nine validators on the Ronin network -- leaving them just one validator short of total control. [...]

In its post-mortem, Sky Mavis revealed that the hackers managed to use the Axie DAO (Decentralized Autonomous Organization) -- a group set up to support the gaming ecosystem -- to complete the heist. Sky Mavis had asked the DAO for help dealing with a heavy transaction load in November 2021. [...] A month after the hack, Sky Mavis had increased the number of its validator nodes to 11, and said in the blog post that its long-term goal was to have more than 100. Sky Mavis declined to comment on how the hack was carried out when reached. Earlier today, ESET Research published an investigation showing that North Korea's Lazarus had abused LinkedIn and WhatsApp by posing as recruiters to target aerospace and defense contractors. But the report did not tie that technique to the Sky Mavis hack. The Block notes that Axie Infinity "boasted 2.7 million daily active users and $214 million in weekly trading volume for its in-game NFTs in November last year -- although both numbers have since plummeted."

Users affected by the exploit will be reimbursed via the company's funds, along with the $150 million it raised in a round led by Binance in early April. "The company said recently that it would begin returning funds to users on June 28," adds the report.

9 servers on one sub-net in one location?

[ebyrob]

That's hardly decentralized. Isn't the whole point of "crypto-currency" to be decentralized? Sounds like THAT was their downfall.

Re:

[2TecTom]

... Sounds like THAT was their downfall.

No, it was greed that did the dirty deed

Re:

[apoc.famine]

What blows me away is that apparently someone at the company uses their work computer for non-work purposes. That was their downfall!

I robustly separate my work and personal stuff. Work gets done 99% on the work laptop, maybe 1% on the phone. Personal stuff gets done 100% on the personal computer and phone. No way am I going to be interviewing, applying for jobs, etc. on my work laptop. How many people have we heard about over the years getting let go for that sort of shit?

I can't even imagine giving my emp

Re:

[cmseagle]

I'd be curious about the number of people reading your comment whose reaction is "Yeah, totally!" while reading Slashdot from an employer-provided device.

Re:

[meisdug]

That's hardly decentralized. Isn't the whole point of "crypto-currency" to be decentralized? Sounds like THAT was their downfall.

Bitcoin is decentralized. This is a game. A game that uses similar technology, a blockchain. It was created and continues to be maintained by the Sky Mavis team and nobody ever claimed this game was decentralized. Though, they do have plans for the game to evolve to a decentralized, community owned setup.

Here is their roadmap:
https://whitepaper.axieinfinit... [axieinfinity.com]

PDF/Adobe

[AmiMoJo]

I usually send my CV in PDF format, not least because I don't want recruiters to edit it. I've had instances where they edited it to be inaccurate before giving it to potential employers before. Always make sure you email a copy over before the interview yourself, just in case.

Problem is some places won't accept PDFs at all now, citing security. Good job Adobe. Actually I'm sceptical that it really is security related, because they usually want a .docx instead. The best format seems to be .odf, but it is editable. I suppose technically PDF is too, but most recruiters don't know how to defeat the "read only" flag and are too lazy to copy/paste,

Re:

[Carewolf]

PDFs are the closest thing to non editable we got. ODF and docx are both designed for editing. PDF is not.

Re:

[Anonymous Coward]

Agreed. I spent 15 years as the corporate PDF expert for my employer as well as an Adobe ACP - representing the corporate Acrobat market, rather than the creative market.

Long story short - that these clowns didn't have a proper file attachment scanner on their email system is the root of the vector being exploited. PDF is just one way that this could have been exploited. .ZIP/Tar, etc., .DOC, .ODF, .OTF (font), source code (.C, .JS, etc.) and on and on.

The second major f-up, as mentioned, was having more

Re:

[piojo]

That is fascinating. I never guessed sterilizing a PDF would need so much care and planning.

Re:

[Darinbob]

Adobe are the ones the screwed the pooch here, turning read-only format into something else. Using any Adobe software to read PDFs is a mistake I think.

Re:

[nasch]

Wait, signatures? The signature has to print, right? Is there some interactive element other than an image that gets left behind in the print process?

Re:

[Stonent1]

I had a recruiter change "FDA" to "Federal Drug Administration" instead of the correct "Food and Drug Administration" in a resume. The interviewer at the site caught it and asked about it and I asked to see the resume they were sent and it was all misformatted because it had been copied and pasted into the recruiter's letterhead with their logos all over it. I just said "This was not the resume I sent". I still go the job fortunately.

Re:

[Robert Goatse]

I always bring my own copy of my resume to interviews. One time a potential employer whipped out my resume from the recruiter and it was all jacked up with the recruiter's company all over it. I calmly handed over my clean resume and they used that from then on.

Re:

[Opportunist]

You can read PDFs without resorting to Adobe products. That's no excuse.

If you ask me to not send a non-editable CV to you, it raises more red flags than a 1st of May parade in Soviet Russia.

Re:

[cmseagle]

If you ask me to not send a non-editable CV to you, it raises more red flags than a 1st of May parade in Soviet Russia.

Legitimately asking - why is that a red flag? Why does the recipient of a CV have to be able to edit the sender's CV?

Re:

[cmseagle]

D'oh. I now recognize your double negative and we're clearly in agreement.

Re: PDF/Adobe

[daten]

Large companies use software that rips the content of your PDF into their recruiting system. The interviewers never see the original document or formatting.

Re:

[angel'o'sphere]

They do not edit your PDF anyway.
They copy paste it - some cheap labor is doing that - into an *.docx - and then edit that one.
After all they want their own Logo and Slogan on your CV.

What's wrong with the way banks do it?

[RobinH]

All the company needs to do is store your user account and remember the account balance for each user, and keep a write-only transaction log history like an accounting system. There's no need for crypto in this other than typical two-factor user authentication like my bank uses. What's the problem that they're trying to solve with crypto here?

Re:

[dromgodis]

They solve the marketing problem of your solution lacking the word "crypto".

Re:

[cmseagle]

Any company I have financial dealings with better be using crypto. They should plaster it across all of their marketing materials. I'd be furious if I were to learn that they're transmitting or storing my data in the clear.

Re:What's wrong with the way banks do it?

[gweihir]

That is not how a bank does it. All banks have accounting systems that are heavily regulated and put every transaction into audit-proof storage. In a large bank that may be a pair of cubes, say, by IBM, that cost quite a bit. In a smaller bank that may be a service they use. In a very small bank, this may be done manually by accountants that will personally go to prison if they falsify anything. But _everything_ goes in there and even the slightest suspicion of tampering will bring hell down on the bank. Now, this works because the bank on the other side does exactly the same and because everybody in banking IT knows that this is the one part of the IT that must never fail or the bank is dead. These system store proof of everything moved and make sure a bank cannot invent money.

Now, the "blockchain" is simply an attempt to replace these trusted systems with a decentralized infrastructure. The blockchain can do that if its distribution ensures nobody ever can manipulate the audit-trail stored in there. Obviously any kind of random distribution or participant-defined distribution does _not_ ensure this. And, as one student of mine showed nicely for a supply-chain tracking design, even when requirements are much lower than in banking, the classical solution can easily be cheaper than the blockchain because there is a lot of management, configuration, etc. that is not needed. Simply get audit-proof storage and dump everything in there. By now you can even get that as a cloud-service from most large cloud providers.

Re:

[14erCleaner]

What's the problem that they're trying to solve with crypto here?

The problem of not getting FILTHY STINKING RICH!!!

Who needs 51%?

[The Evil Atheist]

When good old fashioned social engineering is much easier to pull off.

Turns out technology isn't a magical solution, compared to the $5 wrench attack.

Sounds off

[dromgodis]

Do senior developers often open job offer documents on computer that have access to "infiltrate [current employer's] systems"?

Re:

[rsilvergun]

Apparently yes. And they also open job offers on computers that have access to systems then turn have it direct access to customer funds because none of these Yahoos know how to secure a financial Network.

Re:

[smooth wombat]

because none of these Yahoos know how to secure a financial Network.

Except it's not a financial network, it it? It's crypto. /s

Re:

[Dorianny]

It is even better to infiltrate the personal computers as you get the VPN keys as well.

Malware delivered by PDF

[shubus]

I did not know a PDF file could contain malware. That a PDF file is capable of this is new to me.

Re:

[Stormalong]

This is the real headline.

I did know that PDF used to be able to contain malware, but I had assumed that this was a solved problem by now (email servers scanning PDF attachments for dangerous content, PDF readers not enabling the dangerous features by default, something like that). Apparently I was wrong.

Re:

[shubus]

One thing I've done to help is NOT use Adobe Acrobat Reader for most PDF's as undoubtedly PDF malware targets that particular app above other. Some PDF forms have interactive elements where you can fill in certain fields and save the PDF. I would suspect that if malware is hidden ins a PDF, this is where it would be. An example of this type of PDF is the US gov't "Report of Foreign Bank and Financial Accounts" Fincen Form 114 which only Adobe Acrobat seems to be able handle.