Axie Infinity Loses $540M in Phishing Attack Tied to North Korea’s Lazarus

$540M Phishing Attack Exposes Critical Weakness in Axie Infinity’s Blockchain

In one of the largest crypto heists to date, hackers linked to North Korea’s Lazarus Group exploited a spear-phishing campaign to steal $540 million in cryptocurrency from Axie Infinity, a popular NFT-based blockchain gaming platform. The attack, initially reported in March, was confirmed to involve sophisticated social engineering tactics.

According to The Block, the attackers compromised private keys associated with five of nine validator nodes on the Ronin Network, which underpins the Axie Infinity ecosystem. Gaining control of a majority of the validators allowed the attackers to authorize fraudulent withdrawals of 173,600 ETH and 25.5 million USDC.

Validator Centralization Enabled the Attack

Ronin’s limited validator setup became a vulnerability. With only nine validators in total, the attackers needed to compromise just five to gain control. Four of those were directly under the control of Sky Mavis, the developer behind Axie and Ronin. The fifth belonged to the Axie DAO.

“The validators were not well distributed between independent organizations,” said Ryan Spanier, VP of Innovation at Kudelski Security. “It meant that compromising a single entity gave attackers access to the entire system.”

Spyware-Loaded Job Offer Enabled Initial Breach

While the mechanics of the theft were previously known, the entry point remained unclear — until now. New details revealed by anonymous sources to The Block indicate that the attack stemmed from a phishing campaign disguised as a job recruitment effort.

An Axie engineer was reportedly approached on LinkedIn by fake recruiters and went through multiple interview rounds. The final offer came as a PDF file, which, when opened, installed spyware on the victim’s device. From there, attackers moved laterally across Ronin’s internal systems and accessed validator private keys.

Social Engineering Over Technical Exploits

Ronin Network had previously stated that the attack appeared to be the result of “social engineering, rather than a technical flaw.” This recent revelation confirms those suspicions and highlights the human element of cyber risk — particularly in decentralized finance (DeFi) platforms.

“Blockchain platforms should do what every organization should: implement phishing defenses that combine tech and human vigilance,” said Mollie MacDougall, director of threat intelligence at Cofense. She added that had even one employee reported the phishing attempt, the breach might have been prevented.

Lazarus Group Confirmed Behind the Attack

In April, the U.S. Treasury Department formally linked the Ethereum wallet involved in the heist to North Korea’s Lazarus Group — a notorious state-sponsored APT involved in multiple high-profile cyberattacks. The attack not only drained funds but also exposed critical structural weaknesses in validator governance and response processes across the DeFi sector.

Security experts warn that as blockchain platforms grow in popularity, threat actors will continue to combine traditional phishing tactics with advanced cyber capabilities to target poorly secured ecosystems.