The $540 million hack of Axie Infinity’s Ronin Bridge in late March 2022 was the consequence of one of its former employees getting tricked by a fraudulent job offer on LinkedIn, it has emerged.
According to a report from The Block published last week citing two people familiar with the matter, a senior engineer at the company was duped into applying for a job at a non-existent company, causing the individual to download a fake offer document disguised as a PDF.
“After what one source described as multiple rounds of interviews, a Sky Mavis engineer was offered a job with an extremely generous compensation package,” the Block reported.
The offer document subsequently acted as a conduit to deploy malware designed to breach Ronin’s network, ultimately facilitating one of the crypto sector’s biggest hacks to date.
“Sky Mavis employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised,” the company said in a post-mortem analysis in April.
“This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.”
In April 2022, the U.S. Treasury Department implicated the North Korea-backed Lazarus Group in the incident, calling out the adversarial collective’s history of attacks targeting the cryptocurrency sector to gather funds for the hermit kingdom.
Bogus job offers have been long employed by the advanced persistent threat as a social engineering lure, dating back as early as August 2020 to a campaign dubbed by Israeli cybersecurity firm ClearSky as “Operation Dream Job.”
In its T1 Threat Report for 2022, ESET noted how actors operating under the Lazarus umbrella have employed fake job offers through social media like LinkedIn as its strategy for striking defense contractors and aerospace companies.
While Ronin’s Ethereum bridge was relaunched in June, three months after the hack, the Lazarus Group is also suspected to be behind the recent $100 million altcoin theft from Harmony Horizon Bridge.
The findings also come as blockchain projects centered around Web 3.0 have lost more than $2 billion to hacks and exploits in the first six months this year, blockchain auditing and security company CertiK disclosed in a report last week.