Axie Ronin Hack Caused by Fake Job Offer–$540M Stolen

The Block recently reported details on the Axie Infinity Ronin Bridge hack that occurred in March and clocked in at $540M in assets stolen. We reported on how the hack has been tied back to the North Korean hacking group Lazarus, but up until now, the details on how the compromised keys were acquired has not been made publicly available.

The hacking incident all came from a job listing. The hacking organization reached out to a senior software engineer working at Axie Infinity through LinkedIn about a job opportunity–a very, very well paying job opportunity. Lazarus even put together a real interview to drag along the engineer.

Ultimately, the engineer received a “job offer” in the form of an emailed PDF file. Many people don’t realize that PDFs can execute code, but the engineer’s system was compromised from the moment they opened the PDF. The keys to Ronin nodes were taken from the system and used to steal funds.

The Ronin sidechain was a good target for an attack like this because it only has 9 validators, and it considers 5 of 9 nodes as the consensus threshold. Following the attack, Sky Mavis, the creators of Axie Infinity, said it will increase security by requiring 8 of 9 nodes to validate a transaction, and it has been increasing the number of nodes in the ecosystem since.

At the end of the day, this person didn’t get the new job they were expecting, they lost their current job, they were ultimately responsible for the crash of a token which likely was part of their total comp, and contributed to $540M of customer funds being stolen. Tough break, all things considered.