Blockchain gaming is gaining popularity due to the lucrative earning opportunities it offers its players. But it seems even the secure and decentralized nature of Blockchain is not sufficient to stop adversaries from launching Phishing attacks. Read on to know how Axie Infinity became a victim.
Developed by Sky Mavis in 2018, a Vietnamese video game developer, Axie Infinity contains “Axies,” creatures that players collect and utilize to compete against other players. Every “Axie” is an NFT (Non-Fungible Token) minted on the Ethereum Blockchain.
Players earn money by buying and selling Axies in the marketplace, which come in various types, with different attributes and strengths. Most of these creatures have weak characteristics, but some are strong, created by trial-and-error breeding. These Axies are the most sought after.
You must note that Axie Infinity is a Pokemon-inspired game with a play-to-earn model and earns $15 million approximately in daily revenue.
The Axie Infinity Hack
Axie Infinity’s Ronin Bridge became the victim of a $540 million hack when one of its former employees got tricked into taking a fraudulent job offer through LinkedIn. A report by The Block suggests that an ex-senior engineer got tricked into applying for a job at a fake firm that was non-existent. Thus, he downloaded a fake job offer document in PDF format.
The employee got tricked into believing it was a high-paying job offer and opened the PDF. However, the company was non-existent. During the recruitment process, the employee shared critical information which hackers used to steal from Ronin.
Sky Mavis, in its statement, said that its employees keep getting constant threats from advanced spear phishing actors on various social media channels and, in this case, were successful in fooling an ex-employee. The US Treasury Department implicated the Lazarus Group, a North Korea-backed entity, in the incident in April 2022.
Did Developers of Axie Infinity Have No Safeguards in Place?
Elliptic, a blockchain analysis firm, stated in a blog post that any entity could move funds if the transaction gets approved by five of the nine validators. In the Sky Mavis case, the hackers got hold of the private cryptographic keys of five validators, enough to steal the crypto assets.
But after the successful fake job ad and infiltrating Ronin’s systems, hackers could control only four of the nine validators – they still needed one more to take control. After the investigation, Sky Mavis revealed that the hackers used the Axie Decentralized Autonomous Organization (DAO) – a group that supports the gaming ecosystem – to complete the heist. In November 2021, Sky Mavis requested help from the DAO to deal with the heavy transaction load.
The DAO whitelisted Sky Mavis to sign transactions on its behalf, which was discontinued in December 2021. However, they did not revoke the access. After the threat actors got into the Sky Mavis systems, they extracted the signature from the DAO validator.
After the hack, Sky Mavis increased the number of validator nodes to 11, with a long-term goal to achieve 100 nodes.
Increasing CyberSecurity Related Incidents In The Web 3.0 Era
ESET’s T1 Threat Report for 2022 notes how the Lazarus group has deployed fake job offers through LinkedIn and other social media websites as a strategy to strike aerospace companies and defense contractors.
Image sourced from bbb.org
While Ronin’s Ethereum bridge got relaunched in June, recently, the Lazarus Group is suspected to be behind stealing $100 million altcoins from Harmony Horizon Bridge.
Blockchain projects focused around Web 3.0 have been easy targets and lost over $2 billion to exploits and hacks in 2022’s first six months, noted CertiK in a report released last week.
How to Identify a Fake Job Scam?
If you are an aware user, you will notice these telltale signs of fake job listings:
- Sense of Urgency: Most job seekers will love their recruiter to process their employment fast. However, if the recruiter pushes you to sign the contract as soon as possible, it is a red flag. The employment scams which rush the contract signing process do not allow you to ask questions about the job profile.
- Obvious Errors and Mistakes in the Job Listing: Lack of professionalism in the posts is an identifier of fake job listings.
- Pronounced spelling and grammatical in the listing
- Exclamation marks to emphasize the urgency
- Many capitalized words
Fake job listings look haphazard, which adds to the lack of professionalism. If you pay close attention to the official website or company name, you will spot some tiny mistakes.
- Too Good to be Real: If the listing sounds too good to be true, it’s another red flag. For example, promising a very high salary with little work and using terms like “unlimited earning potential” or “quick money.”
- Vague Job Descriptions: Legitimate job listing will explain your role and include a detailed job description. If you cannot understand what position you have applied for, likely, the adversaries are purposefully vague. Following are examples of vague job descriptions:
“Earn good money without having to leave the comfort of your home! No experience is required! Apply now!!”
“Easy job with quick career progression and excellent pay! Apply with us NOW!”
“Set your own time and help people when you earn! Flexible working hours!”
Job Offer Legitimacy Checklist
The FBI and Cyber security professionals suggest the following tips and actions for job seekers if they receive an online job offer:
- Conduct an online search of the hiring company by only typing the company name. If the results return multiple websites for the same company (for example, GreatCompany.com and GreatCompanyLLC.com), it indicates a fraudulent job offering.
- Legitimate companies will ask for bank account information and PII for payroll purposes after hiring and not before. Even after you’re hired, remain cautious.
- Never send money to someone you recently met online, especially by a wire transfer.
- Don’t provide your credit card information to the employer.
- Never provide your bank account information to the employers if you cannot verify their identity. Most organizations today use a payroll provider using which you can personally set it up.
- Don’t accept job offers asking you to use your bank account to transfer the organization’s money. A legitimate organization will not ask you to do this.
- Never share your Social Security number or other PII (Personal Identifiable Information) that hackers can use to access your accounts.
- Before entering PII online, look at the address bar and make sure the website is secure. The address should start with “HTTPS://,” not “HTTP://.”
- However, cybercriminals can use “HTTPS://” to give you a false sense of security. Do not decide to proceed solely based upon the use of “HTTPS://.”
Advanced persistent threat actors had long employed bogus job offers as a social engineering lure. It dates back to early August 2020, when the Israeli cybersecurity firm ClearSky dubbed it “Operation Dream Job.”
We saw how an unaware employee cost the organization over $500 million in damages when all he needed to do was analyze his great job offering. Thus, one must ensure that while they adopt the most advanced tools for protecting their information systems, training the workforce is equally important to ensure protection from phishing.