Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
document.getElementById( “ak_js_1” ).setAttribute( “value”, ( new Date() ).getTime() );
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
In March, a North Korean APT siphoned blockchain gaming platform Axie Infinity of $540M.
Axie Infinity, a popular destination for 3 million traders of in-game collectible non-fungible tokens, reportedly lost $540M in cryptocurrency in a recruiting-themed spear phishing attack. The perpetrators of the crime are believed to be an advanced persistent threat group with ties to North Korean.
The report comes from the publication The Block, which said on March 23rd hackers took control of private keys tied to four validator nodes. Those nodes, according to the report, belong to the Ronin Network – which Axie runs on. The second node belongs to the Axie DAO – a decentralized organization that supports the game’s ecosystem.
A private key, similar to a password, is a secret number that is used in blockchain cryptography. Validator nodes are computers that, together, maintain a blockchain network by, among other things, validating and processing transactions.
Ronin is supported by nine validators so, by controlling five, the attacker possessed majority control over the network. Axie and Ronin are developed by Sky Mavis.
“Axie systems relied on a relatively small number of validators,” Ryan Spanier, vice president of Innovation at Kudelski Security, explained to Threatpost via email. “This is not a typical practice for public chains, although we do see this in permissioned chains similar to Axie,” he said.
The problem wasn’t just that there were too few validators, but that those validators were all concentrated in one place. “The validators were not well distributed between independent organizations,” Spanier continued, “which means the attacker only truly had to compromise one organization. Essentially, they had a decentralized blockchain model but were vulnerable to a centralized threat vector.”
With majority control, the attackers were able to effectively write checks to themselves, Spanier said. They stole 173,600 Ethereum (ETH) and 25.5 million USD Coin (USDC) in all. At the time, that added up to approximately $540 million in value.
The following month, the U.S. Treasury Department tied the Ethereum wallet address behind the attack to North Korea’s Lazarus Group. What wasn’t clear until this week is how did the attackers gain control over those validators?
On March 30, the Ronin Network newsletter stated that “all evidence points to this attack being socially engineered, rather than a technical flaw.” The disclosure did not elaborate further. Now two anonymous sources have come forward who claim “direct knowledge of the matter” are share with reporters at The Block the unconfirmed inside story about what happened.
Sources told The Block earlier in the year some Sky Mavis staff were approached with job opportunities by recruiters on LinkedIn. One engineer, following “multiple rounds of interviews,” was offered a job “with an extremely generous compensation package.” The offer came in the form of a PDF which, once the engineer clicked to open, downloaded spyware to his computer. From there, the attackers moved laterally into Ronin’s IT systems, allowing them to steal those coveted validator private keys, according to The Block.
Mollie MacDougall, director of threat intelligence at Cofense, put it bluntly in an email to Threatpost. “Blockchain platforms should do what every other organization should do: implement an effective phishing defense program that combines technology with the human layer of security.”
“Imagine only one of those employees had reported that email to Axie’s security team. Then imagine that the team could have identified, removed, and notified any other recipients of that email. It could have stopped the attack early in its tracks.”
Share this article:
A radio control system for drones is vulnerable to remote takeover, thanks to a weakness in the mechanism that binds transmitter and receiver.
Cyber collective Killnet claims it won’t let up until the Baltic country opens trade routes to and from the Russian exclave of Kaliningrad.
The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers.
document.getElementById( “ak_js_2” ).setAttribute( “value”, ( new Date() ).getTime() );
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
CISA warns that threat actors are ramping up attacks against unpatched #Log4Shell vulnerability in VMware servers. https://t.co/WLJ0CVaHuD
3 hours ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
