What has been dubbed the largest crypto heist in history with an estimated valuation of 625 million dollars started with a LinkedIn job offer.
It all begin when a developer at Sky Mavis, the developer of the Axie Infinity game, received the offer via LinkedIn not all that long ago.
Axie Infinity uses Ronin’s blockchain bridge, a system that allows users to pass crypto funds between the Ronin network and Ethereum.
Sky Mavis created Ronin as a sidechain since Ethereum is too slow to work with the game. The bridge connects the two and allows funds to be transferred freely between them.
The job looked legit, and the developer went through a couple of rounds of interviews before being offered the role. Still working at Sky Mavis at the time, they received a PDF file as part of the onboarding process, which they proceeded to open on a company device.
The malware was able to sidestep security systems and take control of four out of the nine validators on the Ronin network.
Validators are the systems that approve crypto transactions within a network, so are a pivotal part of the chain. You need 5 of them in total to be able to move money around between networks, so the hackers were just missing one final piece of the puzzle.
The fifth validator came thanks to a request by Sky Mavis for help from a DAO (Decentralized Autonomous Organization) to help with a particularly heavy transaction load. The DAO helped out with the backlog thanks to being included within a network allowlist to let them into the system to help catch up.
Once the work was complete, the DAO withdrew from the network and everything returned to normal.
Except that allowlist wasn’t updated to remove their network access.
According to Sky Mavis in a blog post:
The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked. Once the attacker got access to Sky Mavis systems, they were able to get the signature from the Axie DAO validator.
The hack resulted in the theft of 173,600 ether and 25.5 million USD Coin stolen, totalling $625 million in value at the time.
Since then, Sky Mavis has increased the number of required keys to 11 with plans to increase further, all the way to 100.
That is, if crypto lasts long enough to warrant the investment.