Anatomy of a Breach

Anatomy of a Breach: Ronin Network — $620 Million Stolen in the Largest Crypto Heist in History

> series: anatomy_of_a_breach —— part: 160 —— target: ronin_network —— stolen: $620,000,000 —— attacker: lazarus_group —— entry: fake_linkedin_job_offer<span class="cursor-blink">_</span>_

Hedgehog Security 30 April 2022 13 min read
ronin-network axie-infinity 620-million crypto-heist lazarus-group north-korea blockchain series
Breach #160

$620 million. The largest crypto heist ever. It started with a LinkedIn job offer.

On 23 March 2022, attackers compromised the Ronin Network — the Ethereum sidechain powering Axie Infinity, one of the world's most popular blockchain games — and stole approximately $620 million in cryptocurrency. The theft was not detected for six days — it was only discovered on 29 March when a user reported being unable to withdraw funds. The US Treasury subsequently attributed the attack to North Korea's Lazarus Group — the same state-sponsored unit behind the Bangladesh Bank SWIFT heist ($81M, 2016) and the Sony Pictures attack (2014).

The attack began with social engineering: a Lazarus Group operative contacted a senior Sky Mavis (Axie Infinity's developer) engineer through LinkedIn with a fake job offer. The engineer, going through the interview process, downloaded a document containing malware — which gave the attackers access to the company's systems. From there, they compromised five of the nine validator nodes required to authorise bridge transactions, enabling them to approve their own fraudulent withdrawals. The $620 million theft — conducted by a nation-state to fund its weapons programmes — demonstrated that even decentralised blockchain systems have centralised points of failure that social engineering can exploit.

Social Engineering + Blockchain
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Decentralised technology. Centralised human vulnerability.

Fake Job Offer via LinkedIn
The initial compromise came through a fake job offer — a social engineering technique that exploits career ambition and trust in professional networks. Our <a href="/penetration-testing/social-engineering">social engineering assessments</a> test staff resilience to targeted approaches including fake recruitment and LinkedIn-based attacks.
Lazarus Group: State-Sponsored Crypto Theft
North Korea's Lazarus Group has evolved from <a href="/blog/anatomy-of-a-breach-sony-pictures">destructive attacks</a> (Sony, 2014) through <a href="/blog/anatomy-of-a-breach-bangladesh-bank-swift">bank heists</a> (SWIFT, 2016) to cryptocurrency theft ($620M, 2022) — generating revenue for the regime through increasingly sophisticated financial cybercrime.
Six Days Before Detection
$620 million was stolen and the theft went undetected for six days. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the continuous transaction and access monitoring that detects anomalous activity — including large, unexpected transfers — in hours, not days.
Validator Key Compromise
The attackers needed five of nine validator keys — and they obtained them through a single compromised employee account and legacy access permissions that should have been revoked. Access reviews and the principle of least privilege — mandated by <a href="/cyber-essentials">Cyber Essentials</a> — would have reduced the attack surface.
Lessons

Blockchain is decentralised. The people managing it are not.

The Ronin hack proved that blockchain technology's decentralised architecture does not eliminate human vulnerability — it merely relocates the trust to the people who manage validator keys, smart contracts, and administrative access. For UK organisations using or developing blockchain-based systems, security must address both the technology and the human elements. Social engineering testing assesses human vulnerability. Application testing evaluates smart contract and blockchain application security. Cyber Essentials mandates access reviews. SOC in a Box monitors for anomalous access patterns. And UK Cyber Defence provides incident response for financial and blockchain-related breaches.

Human Security in Decentralised Systems

$620 million stolen through a LinkedIn message. Are your people tested against social engineering?

<a href="/penetration-testing/social-engineering">Social engineering testing</a> assesses staff resilience. <a href="/cyber-essentials">Cyber Essentials</a> mandates access controls. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects anomalous transactions.

Commission a Social Engineering Assessment Next: Costa Rica Conti
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2025

Anatomy of a Breach: Bybit — $1.4 Billion Stolen in the Largest Cryptocurrency Heist in History

Breach #194. In February 2025, cryptocurrency exchange Bybit was hit by the largest cryptocurrency theft in history — approximately $1.4 billion in Ethereum stolen in a single transaction. The attack, attributed to North Korea's Lazarus Group, more than doubled the previous record set by the Ronin Network heist ($620 million, 2022). The attackers compromised the multi-signature cold wallet signing process, manipulating the transaction to redirect funds. The theft demonstrated that North Korea's state-sponsored cyber theft programme had reached a new level of scale and sophistication.

bybit cryptocurrency
13 min read
Anatomy of a Breach 31 March 2023

Anatomy of a Breach: 3CX — A Supply Chain Attack Born from Another Supply Chain Attack

Breach #171. In March 2023, 3CX — a VoIP communications platform used by over 600,000 organisations and 12 million daily users — was compromised in a supply chain attack attributed to North Korea's Lazarus Group. The attackers had poisoned the 3CX desktop application's build process, distributing malware through legitimate software updates. But the investigation revealed something unprecedented: the 3CX compromise had itself originated from an earlier supply chain attack on a financial trading software company (Trading Technologies). A supply chain attack born from a supply chain attack — supply chains all the way down.

3cx supply-chain
13 min read
Anatomy of a Breach 31 January 2016

Anatomy of a Breach: The Bangladesh Bank Heist — $81 Million Stolen Through the Global Banking System

Breach #085. In February 2016, hackers compromised Bangladesh Bank's connection to the SWIFT interbank messaging network and submitted 35 fraudulent transfer requests totalling $951 million. A series of fortunate accidents — including a misspelling that triggered a compliance flag — stopped most of the transfers, but $81 million was successfully routed to accounts in the Philippines and has never been fully recovered. The attack, attributed to North Korea's Lazarus Group, demonstrated that the global financial messaging system itself could be weaponised for theft at sovereign scale.

swift bangladesh-bank
14 min read
All Posts Get in Touch