Rarely has a job application backfired more spectacularly than in the case of one senior engineer at Axie Infinity, whose interest in joining what turned out to be a fictitious company led to one of the crypto sector’s biggest hacks.
Ronin, the Ethereum-linked sidechain that underpins play-to-earn game Axie Infinity, lost $540 million in crypto to an exploit in March. While the US government later tied the incident to North Korean hacking group Lazarus, full details of how the exploit was carried out have not been disclosed.
It turns out it was a fake job ad was Ronin’s undoing.
According to two people with direct knowledge of the matter, who were granted anonymity due to the sensitive nature of the incident, a senior engineer at Axie Infinity was duped into applying for a job at a company that, in reality, did not exist.
Earlier this year, staff at Axie Infinity developer Sky Mavis were approached by people purporting to represent the fake company and encouraged to apply for jobs, according to the people familiar with the matter. One source added that the approaches were made through the professional networking site LinkedIn.
After what one source described as multiple rounds of interviews, a Sky Mavis engineer was offered a job with an extremely generous compensation package.
The fake “offer” was delivered in the form of a PDF document, which the engineer downloaded — allowing spyware to infiltrate Ronin’s systems. From there, hackers were able to attack and take over four out of nine validators on the Ronin network — leaving them just one validator short of total control.
In a post-mortem blog post on the hack, published April 27, Sky Mavis said: “Employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised. This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.”
Validators fulfill various functions in blockchains, including the creation of transaction blocks and the updating of data oracles. Ronin uses a so-called “proof of authority” system for signing transactions, concentrating power in the hands of nine trusted actors.
An April blog post on the incident from blockchain analysis firm Elliptic explains: “Funds can be moved out if five of the nine validators approve it. The attacker managed to get hold of the private cryptographic keys belonging to five of the validators, which was enough to steal the cryptoassets.”
But after successfully infiltrating Ronin’s systems through the fake job ad, the hackers had control of just four out of the nine validators — meaning they needed another in order to take control.
In its post-mortem, Sky Mavis revealed that the hackers managed to use the Axie DAO (Decentralized Autonomous Organization) — a group set up to support the gaming ecosystem — to complete the heist. Sky Mavis had asked the DAO for help dealing with a heavy transaction load in November 2021.
“The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked,” said Sky Mavis in the blog post. “Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator.”
A month after the hack, Sky Mavis had increased the number of its validator nodes to 11, and said in the blog post that its long-term goal was to have more than 100.
Blockchain, cryptocurrency and decentralized finance security is a specialty of ours at BLAKFX. Our data security company set out to be the world’s most secure cryptocurrency and we decided to take it to the next level and protect all data and protocols, not just crypto.
Unfortunately, the only thing holding NFT acceptance back is the lack of data, wallet and exchange security. Everyday we hear about thefts and exchange hacks. The entire sector has to take the issue much more fanatically.
Like any other cryptographic coin or token, an NFT is controlled by a private key. Depending on the services the NFT owner uses, they might store this private key themselves, or have it stored by an online marketplace they use. In both cases, that private key might be stolen if an attacker manages to compromise the system that stores it. Malware that steals Bitcoin wallets has been around for some time already, as has malware that steals NFTs.
The real problem is that most crypto tools don’t use very sophisticated anti-hacking systems. The most common feature is two-factor authentication: for each transaction you need to enter a one-time password, which is sent to the client’s phone or e-mail.
With this in mind, 2FA is not the most secure way of protection. A more advanced option for two factor authentication is special applications like Authy and Google Authenticator. They block access to the system if the login and password are compromised by asking for additional code.
In Math We Trust
One of the most reliable ways of protection against hacker attacks remains distribution of assets between hot and cold wallets. In addition to physical protection (video cameras, armed guards, retinal scanner, etc.), a cold wallet can be equipped with a multi-signature system. The bigger the share in the cold storage, the safer it is. Ideally, NFTs and cryptocurrency should only get online at the time of the transaction.
Another way are the so-called Bitcoin “valves” — special Bitcoin addresses, where coins are locked by a two-stage security mechanism with two different keys. To unlock funds, you need a regular digital key, but full access to the money is only possible after 24 hours. Within those 24 hours, any transaction can be cancelled by entering the second key. There is another degree of protection: if a hacker has both keys, the exchange can burn the funds stored in the wallet.
Regular audits by independent experts and hacking tests have become a good tone among crypto exchange operators. The latter is done by so-called white hackers. Their goal is to hack into security systems to find potential vulnerabilities that can be exploited by attackers.
One way or another, a complex approach is important in the question of cryptocurrency exchanges security: security of code in combination with security of development environment and third-party libraries used in the product creation. It is also impossible to exclude human factor, which often contributes to hacker attacks.
Unfortunately, very few methods are working.
The problem with all these methods, is that once they are defeated and breached, the NFTs are in the clear and easily stolen.
The founders at BLAKFX, as mentioned earlier, originated their current data security product (Helix22) as a cyber currency, exchange, wallet and blockchain. Therefore our data security product, the Helix22 SDK, is fully designed and functioning to facilitate the de fi sector.
Helix22 is Designed To Be Quantum Immune – Start Your Integration on our Git
Helix22 delivers perfect security assurance due to our genius engineering team that has invented a new model for data security that required an innovative look at the problem. The approach we took was to protect the data itself. Almost all other data security products try to build a perimeter or being fanatic on user credentials. However, once the product is breached or a password is stolen, even if it is 2FA or encrypted, your firms data is in the clear.
You see, the Helix22 cryptography is embedded with the data itself through our inventive and patented cryptography of DNA BindingTM. Therefore, even if credentials are stolen the data cannot be exfiltrated. This means that all data is 100% protected regardless of the type of attack.
Another substantial advantage of Helix22, is that it protects all data whether at rest, in use or in transit. All communication apps for example, only encrypt data while in transit. Therefore, that encryption become useless for internal IT security or Artificial Intelligence or Machine Learning experimentation. All data generated during these massive computing exercises is equally protected in real time. Plus, the latency period for the Helix22 is exponentially less than any other security product, so it actually contributes to faster processing times.
The Helix22 is easy to install and runs on all platforms, programming languages, networks and devices.
In this protocol, we are truly a “zero-knowledge” server so your private communications and transmissions remain completely top secret. Even in the event that BLAKFX were subpoenaed, we can honor the request by just handing over the encrypted content…as that is literally all we have. Helix22 also only use keys just one-time and then destroys them. This way the data security is future forward prefect. Therefore, in our unique user-to-user encryption (U2U) world, there is no opportunity ever for any data leak.
The Helix22 data security SDK accomplishes the following:
- Protects all your firms data at rest, in use and in transit
- Renders ransomware threats obsolete
- Eliminates human error
- Eliminates all malicious or interior attacks
- Verifies original content i.e. minimizes the threat of impersonation attacks and deep fakes
- Reduces latency and optimizes 5G networks
- Installs with 5 lines of code
- Runs on any platform, network, device and in any programming language
- Provides perfect future/forward secrecy
- Delivers “zero-knowledge” encryption
- Compatible with all cloud, 3rd party and vendor services
- Enables Internet of Things data security by providing protection at the Edge and has ultra low latency
- Ensures privacy and security for Decentralized Finance, blockchain and all cryptocurrency transactions
- Is quantum ready – so there’s no need to upgrade when the time comes
- Requires no employee training
- Exceeds all gov’t and banking security standards
- Meets all international compliance regulations
We can make this claim as the tech engineers at BLAKFX invented and patented a genuine device2device (D2D) encryption. We manage data security transmission through the truly brilliant and also patented universal Helix22 key service. The Helix22 encryption originates on your network or device, not just when the app is opened. This means, that when data arrives to our key server, it is already encrypted so all it needs to do is issue another key. Signal and Telegram cannot claim this level of security. This key will then only work with the intended device, which generates a matching key required to open the data. In this protocol, we are truly a “zero-knowledge” server so your communications and transmissions remain completely top secret. Even in the event that BLAKFX were subpoenaed, we can honor the request by just handing over the encrypted content…as that is literally all we have. Helix22 also only use keys just one-time and then destroys them. This way the data security is future forward prefect. Therefore, in our unique device-to-device encryption (D2D) world, there is no opportunity at all for any data leak.
This same protocol just described, can be the same with all your 3rd party vendors and suppliers. It does not matter in the least what platform they are running or what device they are using or even the type of data, it is all 100% protected. We do however, strongly advise that all firms involved be utilizing Helix22 due to the nature of the data content. Helix22 can ensure that whatever data they are generating is protected as well.
Let’s take it a step further. Even if your organization were a victim of an internal attack or a victim of malicious open source downloads, there is no reason for concern. Any data that has been forwarded, downloaded, copied or saved cannot be exfiltrated. Period. We have the technology industries foremost data packets which are protected with multi-layered, military grade encryption algorithms that have already proven the ability to withstand penetration testing from MI5 and quantum computing attacks.
One final practical genius of DNA BindingTM is in that it is immediately compatible with whichever system or software you are utilizing. Therefore, any organization can forward information to another and then discuss it and there is immediate privacy.
BLAKFX is Based on Success
Our founders, Robert Statica PhD and Kara Coppa, also founded Wickr, which is used by the US military and has never been hacked since its inception in 2012. The Helix22 data security SDK is several generations enhanced since then. Dr. Statica also delivered the encryption for the world’s most secure phone, Katim.
Founder – Robert Statica PhD Founder – Kara Coppa
Co-Founders of Wickr KatimTM Ultra Secure Smartphone
Finally, the Helix22 encryption is quantum computing ready so no need to redo all your data security methodologies in a couple of years when everything else becomes obsolete.
We like to refer to Helix22 as “22nd Century Data Security.”
Helix22 – Zero Risk