Go back to overview

Cyrex Hacking Roundup: June

9 June 2022

With Summer in full swing, you would believe that hackers would be taking a sunny holiday. Sadly this isn’t the case. Bringing you the biggest and latest hacking stories in the gaming industry, stay informed, and stay secure, with our latest Hacking Roundup!

Axie Infinity hack recap

We covered this major hack in our previous hacking roundup, where the popular play-to-earn blockchain game suffered one of the biggest crypto hacks in history. Attackers took control of a network of validator nodes connected to Axie Infinity and used them to make false withdrawals. Hackers made off with 173,600 Ethereum and 25.5 million USD coins, totalling $620 million.

Upon further investigation, the U.S. government has linked a notorious gang of North Korean hackers, known as the Lazarus Group, to a cryptocurrency address used for this hack. Authorities also confirmed that this group were also responsible for the 2014 hacking of Sony Pictures, where they wiped data off 3,000 Sony computers.

On April 27, Sky Mavis released a post-mortem that provides in-depth insight as to how the attack happened, how the issues were addressed and previously unmentioned insights. A correspondent from Sky Mavis stated in a blog post that they “would like to extend a thank you to all law enforcement agencies who have supported us in this ongoing investigation.”

Despite the recent controversy, Axie Infinity players also confirmed they will be continuing to show their support, in a recent article for NBC News.

Hackers target Roblox with trojan code

With over 50 million daily active players worldwide, Roblox is one of the most popular games at the moment. The platform is used by at least two-thirds of American children aged 9 to 12. So it’s understandable why this is the perfect target for hackers.

Avanan, a Check Point company, recently uncovered a Trojan file that was hidden within a legitimate scripting engine that’s used for cheat code in Roblox. The infected trojan file, which is hidden in the Windows system folder, can damage applications, corrupt or delete data, and communicate with hackers. These permissions might allow hackers to use ransomware to encrypt data or deploy additional payloads.

Roblox asserted that the compromise was in the Synapse X scripting engine and not the Roblox children’s game, with a spokesperson publicly stating “Using third-party services to circumvent specific systems is also against our Terms of Service. Roblox maintains many systems to keep our users safe and secure, and we prohibit attempts to bypass these systems or otherwise violate our platform requirements.”

Nintendo enforces powerful anti-hack systems

We’ve heard plenty of offence stories, now it’s time for defence! Ahead of some of the major upcoming releases, Nintendo is being proactive with their security, with the company recently filing a patent named “Attestation Program”.

Nintendo's "Attestation Program" is a proprietary mechanism that allows developers to identify if a game's backend code has been modified or altered. Essentially, if the code is modified, this system will immediately notify the developers. The method will also aid in the prevention of hacking in their online games, particularly multiplayer games. However, this initiative is still in the works, and no one knows when it will go online.

With major games such as Splatoon 3, Mario Strikers: Battle League, and more lined up for release over the coming months, and Nintendo’s zero tolerance for cheaters, we can expect to see a release very soon.

To catch up with our previous hacking roundup, check out our April article, where we covered the latest hacking news surrounding Elden Ring, Among Us and more.

To discover more about Cyrex, check out our blog and portfolio page. We also offer comprehensive manual penetration testing for games and non-gaming applications. For any other questions, please get in touch.