Hackers managed to steal over $600 million in cryptocurrency from Sky Mavis, the developer behind the popular NFT-based video game Axie Infinity. The breach occurred on March 23, 2022, and represents one of the most significant cryptocurrency heists in history.
The Attack
The cyberattack unfolded when a threat actor exploited vulnerabilities in the Ronin bridge, a technology designed to facilitate the exchange and interoperability of different cryptocurrencies across various blockchains. The attacker targeted a series of validator nodes connected to Sky Mavis and their flagship NFT game, Axie Infinity.
Sky Mavis revealed that the hackers made away with 173,600 Ethereum and 25.5 million USD Coin, amounting to approximately $620 million. This theft occurred through two transactions in which the attacker used compromised private keys to forge fake withdrawals.
The attacker's success hinged on gaining control of five validator nodes, four of which belonged to Sky Mavis and one operated by Axie Infinity's decentralized autonomous organization (DAO). The breach exploited a backdoor in the company's gas-free RPC node, a vulnerability that was not supposed to exist.
The Roots of the Breach
The attack has its roots in November 2021 when Sky Mavis sought assistance from the Axie DAO to distribute free transactions due to high user demand. The Axie DAO allowed Sky Mavis to sign transactions on its behalf. Although this arrangement was discontinued in December 2021, the access privileges were not revoked, leading to the security lapse.
Unclear Origins of the Attack
It remains unclear how the hackers obtained the private keys or whether the backdoor was intentionally placed by threat actors or inadvertently created by the company. Sky Mavis declined to comment on these aspects, leaving a cloud of uncertainty around the attack's origins.
Response and Recovery
In response to the breach, Sky Mavis has taken several measures to prevent future attacks. They raised the validator threshold from five nodes to eight, enhancing security. Additionally, the company is collaborating with law enforcement agencies, forensic cryptographers, and investors to recover or reimburse the stolen funds. The threat actor's Ethereum wallet address, containing roughly $595 million, was disclosed.
To further secure its systems, Sky Mavis temporarily paused the Ronin bridge while investigating the sidechain hack, ensuring no other potential attack vectors are open.
Axie Infinity and NFT Gaming
Axie Infinity is a prominent example of the emerging genre of NFT-based video games. Players can collect and mint NFTs in the form of digital pets used in battles against other players. This unique gaming experience allows players to earn and cash out cryptocurrency as in-game currency.
Rising Cryptocurrency Cyber Attacks
The Axie Infinity hack is just one example of the increasing trend of cryptocurrency cyberattacks. In recent months, several high-profile attacks on cryptocurrency platforms have occurred, resulting in significant financial losses. These incidents highlight the urgent need for robust cybersecurity measures in the cryptocurrency industry.
Spear Phishing
The source of the Axie Infinity breach was traced back to a sophisticated spear-phishing attack. Hackers posed as a fictitious company and initiated contact with a Sky Mavis engineer through LinkedIn, offering a high-paying job. The attackers conducted multiple rounds of interviews, ultimately sending a formal job offer as a PDF attachment. This seemingly harmless PDF contained malware that infiltrated Sky Mavis' IT infrastructure, leading to the devastating breach.
Culprits Behind the Attack
Approximately three weeks after the breach, the FBI officially attributed the attack to the Lazarus Group and APT38, two hacking groups with connections to the Democratic People's Republic of Korea (DPRK). These North Korean hackers have a history of conducting cryptocurrency heists, having stolen $400 million in at least seven attacks against cryptocurrency platforms in 2021 alone. The DPRK government has been associated with financially-motivated cybercrime.
Strengthening Cybersecurity
The Axie Infinity hack serves as a stark reminder of the constant threats faced by cryptocurrency platforms and the broader technology industry. It underscores the importance of robust cybersecurity practices, employee training to combat phishing attacks, and proactive security measures.
Organizations must adopt a zero-trust security model, which assumes that every individual, account, or device attempting to connect to the network is suspicious and requires thorough verification before granting access. By implementing comprehensive security measures and remaining vigilant, companies can mitigate the risks associated with cyber threats like the Axie Infinity breach.
