Popular NFT Marketplace Ravaged by $540M Phishing Scheme

ATTACK Simulator
3 min readAug 17, 2022
Popular NFT Marketplace Ravaged by $540M Phishing Scheme

In March, a North Korean APT netted $540 million thanks to a massive phishing operation carried out on the very popular NFT marketplace, Axie Infinity.

NFT Marketplace Under The Spear

With approximately 3 million users, the blockchain gaming platform Axie Infinity reportedly lost $540M in cryptocurrency in a spear phishing attack with a job opening lure. Researchers believe the threat actors are an advanced persistent cybercriminal group tied to North Korea.

The findings come from The Block. In a post, they said that on March 23rd the perpetrators seized control of private keys linked to four validator nodes. The report says that those nodes belong to the Ronin Network, the network on which Axie Infinity runs. The second node belongs to a network called Axie DAO.

Much like a password, a private key is a secret number that is used in blockchain cryptography. Validator nodes are a cluster of computers that support a blockchain network by performing a series of functions, the most important ones being validating and processing transactions.

Nine validators maintain the Ronin network so, by taking control over five, the hackers gained majority control over the entire network. Sky Mavis is the developer of Axie and Ronin.

“Axie systems relied on a relatively small number of validators,” Ryan Spanier, vice president of Innovation at Kudelski Security, explained. “This is not a typical practice for public chains, although we do see this in permissioned chains similar to Axie,” he said.

The small number of validator nodes is not the only nor the most significant issue, but that those validators were all clustered in one place. “The validators were not well distributed between independent organizations,” Spanier continued, “which means the attacker only truly had to compromise one organization. Essentially, they had a decentralized blockchain model but were vulnerable to a centralized threat vector.”

With majority control in their hands, the hackers managed to effectively write checks to themselves, according to Spanier. They stole as much as 173,600 Ethereum (ETH) and 25.5 million USD Coin (USDC). At the time, those amounts were equivalent to $540 million in value.

In April, the U.S. Treasury Department linked the Ethereum wallet address used in the attack to Lazarus Group, a North Korea-based hacking group. How the attackers gained the majority control remained a mystery until last week.

The Job Offer That Devastated Axie Infinity

The Ronin Network newsletter stated on March 30th that it was a socially-engineered, sophisticated attack: “all evidence points to this attack being socially engineered, rather than a technical flaw.” However, no further details were given on the subject. Recently, two anonymous sources claim to have “direct knowledge of the matter,” but their side of the story is yet to be shared and confirmed.

Earlier this year, sources reported to The Block that some Sky Mavis employees were approached with job openings by recruiters on LinkedIn. One engineer, following “multiple rounds of interviews,” was offered a job “with an extremely generous compensation package.” The offer took the form of a PDF file which, once the engineer clicked to open, infected his computer with spyware. Next, the threat actors expanded laterally into Axie Infinity’s network, and stole those coveted validator private keys, according to The Block’s post.

Mollie MacDougall, director of threat intelligence at Cofense, highly recommended that organizations implement security awareness training to combat phishing attacks: “Blockchain platforms should do what every other organization should do: implement an effective phishing defense program that combines technology with the human layer of security.”

“Imagine only one of those employees had reported that email to Axie’s security team. Then imagine that the team could have identified, removed, and notified any other recipients of that email. It could have stopped the attack early in its tracks.” And none of this would have happened.

Don’t waste any more precious time; you might run out of luck any moment and have your business hit with a phishing attack. Invest now in a security awareness program for your employees.

ATTACK Simulator’s Security Awareness Training program will help you equip your employees with the necessary security knowledge and up-to-date security practices to keep your company safe from scammers and avoid potentially irreparable damage.


Threatpost Popular NFT Marketplace Phished for $540M

The Block How a fake job offer took down the world’s most popular crypto game


Feature Image: Photo by Andrey Metelev on Unsplash



ATTACK Simulator

We’re a fresh startup that aims at creating a culture of security in every company by teaching security awareness through automated phishing simulations.