Popular NFT Marketplace Phished for $540M

In March, a North Korean APT siphoned blockchain gaming platform Axie Infinity of $540M.

Axie Infinity, a popular destination for 3 million traders of in-game collectible non-fungible tokens, reportedly lost $540M in cryptocurrency in a recruiting-themed spear phishing attack. The perpetrators of the crime are believed to be an advanced persistent threat group with ties to North Korean.

The report comes from the publication The Block, which said on March 23rd hackers took control of private keys tied to four validator nodes. Those nodes, according to the report, belong to the Ronin Network – which Axie runs on. The second node belongs to the Axie DAO – a decentralized organization that supports the game’s ecosystem.

Infosec Insiders Newsletter

A private key, similar to a password, is a secret number that is used in blockchain cryptography. Validator nodes are computers that, together, maintain a blockchain network by, among other things, validating and processing transactions.

Ronin is supported by nine validators so, by controlling five, the attacker possessed majority control over the network. Axie and Ronin are developed by Sky Mavis.

“Axie systems relied on a relatively small number of validators,” Ryan Spanier, vice president of Innovation at Kudelski Security, explained to Threatpost via email. “This is not a typical practice for public chains, although we do see this in permissioned chains similar to Axie,” he said.

The problem wasn’t just that there were too few validators, but that those validators were all concentrated in one place. “The validators were not well distributed between independent organizations,” Spanier continued, “which means the attacker only truly had to compromise one organization. Essentially, they had a decentralized blockchain model but were vulnerable to a centralized threat vector.”

With majority control, the attackers were able to effectively write checks to themselves, Spanier said. They stole 173,600 Ethereum (ETH) and 25.5 million USD Coin (USDC) in all. At the time, that added up to approximately $540 million  in value.

The following month, the U.S. Treasury Department tied the Ethereum wallet address behind the attack to North Korea’s Lazarus Group. What wasn’t clear until this week is how did the attackers gain control over those validators?

A Malicious Job Offer

On March 30, the Ronin Network newsletter stated that “all evidence points to this attack being socially engineered, rather than a technical flaw.” The disclosure did not elaborate further. Now two anonymous sources have come forward who claim “direct knowledge of the matter” are share with reporters at The Block the unconfirmed inside story about what happened.

Sources told The Block earlier in the year some Sky Mavis staff were approached with job opportunities by recruiters on LinkedIn. One engineer, following “multiple rounds of interviews,” was offered a job “with an extremely generous compensation package.” The offer came in the form of a PDF which, once the engineer clicked to open, downloaded spyware to his computer. From there, the attackers moved laterally into Ronin’s IT systems, allowing them to steal those coveted validator private keys, according to The Block.

Mollie MacDougall, director of threat intelligence at Cofense, put it bluntly in an email to Threatpost. “Blockchain platforms should do what every other organization should do: implement an effective phishing defense program that combines technology with the human layer of security.”

“Imagine only one of those employees had reported that email to Axie’s security team. Then imagine that the team could have identified, removed, and notified any other recipients of that email. It could have stopped the attack early in its tracks.”

Register Now for this On-demand Event: Join Threatpost and Intel Security’s Tom Garrison in a Threatpost roundtable discussing innovation enabling stakeholders to stay ahead of a dynamic threat landscape. Also, learn what Intel Security learned from their latest study in partnership with Ponemon Institue. WATCH HERE.

Suggested articles