A record-setting crypto theft in March may have been orchestrated by state-backed North Korean hackers using fake job offers to pass malware to engineers.
Sources within popular NFT game Axie Infinity have told the media that the breach of the Ronin network, the Ethereum bridge the game makes use of, was pulled off by malware embedded in a document. How did the attackers convince one of the game’s senior engineers to open a malicious document? They posed as a company making a legitimate job offer via LinkedIn, apparently going so far as to conduct fake job interviews to inspire trust in the target.
North Korean campaign of fake job offers nets a big fish
The attack was part of a broader ongoing campaign by North Korea’s “Lazarus” hacking group, involving fake job offers made through portal and listing sites such as LinkedIn. As is usually the case with this group, the goal was to steal funds to prop up the country’s authoritarian and heavily sanctioned government.
This makes Lazarus something of an anomaly in the cyber crime world, as most of the well-funded and well-outfitted “advanced persistent threat” groups focus on low-key cyber espionage rather than brazen scams. These attackers appear to have had the knowledge and resources to create a legitimate-looking but fictitious company, and even guide a senior Axie Infinity engineer through several staged interviews as part of the fake job offer. The crypto theft was ultimately carried out by malware that was hidden in bogus employment documents.
Lazarus and other attackers are active on LinkedIn in no small part because of how widely used it is around the world, but also because the design of the platform has sometimes made it difficult to filter fake job offers out from legitimate communications. LinkedIn’s internal messaging system does scan for malware embedded in attachments, but it is far from perfect and repeated incidents have occurred in recent years.
Record-setting crypto theft made possible by multiple security oversights
The fake job offer was not the only element that made the $625 million crypto theft (the largest yet on record) possible. Compromising a senior engineer account on the Ronin network would not have provided enough access to enough validator nodes to authorize the movement of its stored funds all by itself. The hackers appeared to be aware of some existing Axie Infinity accounts with administrator privileges that were sitting dormant in the system and waiting to be exploited, and these tipped the scales enough to make the crypto theft possible.
As was reported when news of the attack initially broke, Sky Maven experienced a major surge of new users around the holiday season in 2021 and set up a special set of temporary accounts with administrative privileges to help handle all of the new transactions that were taking place. These accounts were shuttered when things calmed down going into 2022, but apparently were not removed from the system. Once the North Korean hackers were in the system, they were apparently able to harness these accounts to provide the last boost needed to control the majority of the authorization nodes and execute the crypto theft.