Social Engineeringcritical

Axie Infinity Ronin Bridge: A Fake Job Offer Steals $625 Million in Crypto

North Korea's Lazarus Group sent a fake PDF job offer to a Ronin Network engineer. Opening it installed spyware. Five months later, attackers used the compromised keys to drain $625 million from the Ronin cryptocurrency bridge.

Sky Mavis / Ronin Network·2022·2 min read

Attack Chain

  1. 1
    Fake job offer sent on LinkedIn
  2. 2
    Malicious PDF opened
  3. 3
    Backdoor installed
  4. 4
    Validator private keys stolen
  5. 5
    $625M drained from bridge

Background

Sky Mavis developed Axie Infinity, a play-to-earn crypto game, and operated the Ronin blockchain bridge that allowed players to move funds between Ethereum and the Ronin sidechain. The bridge was secured by a 5-of-9 multi-signature scheme — requiring 5 of 9 validator keys to approve transactions.

The Attack

A Ronin engineer received a fake job offer — a PDF document with a highly attractive salary and benefits package — purportedly from a blockchain company. Opening the PDF installed spyware that gave Lazarus Group persistent access to the engineer's systems. Over months, the attackers moved laterally through Sky Mavis's internal network, eventually obtaining four of the nine private validator keys held by Sky Mavis. A fifth key was held by a third-party validator (Axie DAO) that had been granted temporary additional signing authority during a high-traffic period nine months earlier — and the access had never been revoked. With 5 keys, on March 23, 2022, attackers issued two fraudulent withdrawal transactions draining 173,600 Ethereum and 25.5M USDC.

Response

The breach was not discovered until six days later when a user tried to withdraw funds and could not. Sky Mavis paused the Ronin bridge. The US Treasury Department attributed the hack to Lazarus Group and sanctioned the ETH addresses. The FBI also attributed it. Sky Mavis raised $150 million from investors to partially compensate affected users.

Outcome

At $625 million, the Ronin hack was the largest cryptocurrency theft in history at the time. Less than 20% was recovered. The case illustrated the confluence of social engineering, forgotten access grants, and inadequate multi-signature key management.

Key Takeaways

  1. Revoke all temporary access grants promptly — abandoned elevated privileges are exactly what attackers look for
  2. Job offer lures are a primary vector for nation-state spyware installation — verify sender identity via alternative channels
  3. Multi-signature key schemes are only as secure as the operational security of individual key holders
  4. Cryptocurrency bridge architecture must have withdrawal rate limits and anomaly detection

How to Prevent This

All guides
beginner

Audit and revoke unused vendor and third-party access quarterly

Third-party and vendor access that outlives its original purpose becomes a persistent attack surface. The Axie Infinity Ronin bridge hack succeeded partly because a temporary access grant to a third-party validator had never been revoked after the high-traffic period that justified it. The Target breach began via a credential stolen from an HVAC vendor with network access. Maintain a registry of all third-party systems and vendor accounts that have access to your environment. Review each one quarterly: does this access still serve a current business purpose? If not, revoke it immediately. Treat "temporary" access as having an automatic expiry date.

See: Axie Infinity Ronin BridgeSupply Chain Security
Lazarus Groupfake job offercrypto bridgeNorth Koreamultisig

More in Social Engineering

2020high

The Twitter Bitcoin Hack

2 min readSocial Engineering
2023critical

MGM Resorts Social Engineering Attack

2 min readSocial Engineering
2022critical

Lapsus$: Teenagers Bribe Telecom Employees to Breach Microsoft, Nvidia, and Uber

2 min readSocial Engineering