How a fake Job Offer resulted in a $540 Crypto Hack


  • A senior engineer at Axie Infinity was tricked by hackers into applying for a position at a phony company.
  • Earlier this year, the fraud caused the loss of $540 million in cryptocurrency.
  • When the engineer opened the phony PDF document that served as the “offer,” spyware was able to penetrate Ronin’s systems.

A job application has hardly gone as horribly wrong as it did in the case of one senior developer at Axie Infinity, whose desire to work for what turned out to be a fictional firm resulted in one of the greatest hacks in the cryptocurrency industry.

An exploit cost $540 million in cryptocurrency to Ronin, the Ethereum-linked sidechain that powers the play-to-win game Axie Infinity, in March. The US authorities later linked the incident to the North Korean hacker collective Lazarus, but the full specifics of the exploit’s use have not been made public. Ronin’s downfall was caused by a false job ad.

A senior engineer at Axie Infinity was tricked into applying for a position at a firm that, in reality, did not exist, according to two persons with firsthand knowledge of the situation who were given anonymity owing to the sensitive nature of the affair.

Big was Axie Infinity. The play-to-earn game allowed employees in Southeast Asia to even support themselves during its height. In November of last year, it touted 2.7 million daily active users and $214 million in weekly trading volume for its in-game NFTs, though both figures have since declined.

According to the sources, individuals posing as representatives of the phony firm approached staff at Axie Infinity creator Sky Mavis earlier this year and encouraged them to apply for jobs. 

One source further stated that the approaches were made using LinkedIn, a platform for professional networking. A Sky Mavis engineer underwent several rounds of interviews before receiving a job offer with hefty pay.

The engineer downloaded the fraudulent “offer” that was a PDF document, which allowed spyware to infect Ronin’s systems. From there, hackers were able to assault and seize control of four out of the nine validators on the Ronin network, leaving them with entire control of the system.

One employee was penetrated by ongoing advanced spear-phishing assaults on multiple social media channels targeting employees. At Sky Mavis, this employee is no longer employed. Utilizing that access, the attacker was able to breach Sky Mavis’ IT system and get to the validator nodes.