Axie Infinity: what are the security risks when gaming?

This video game gained a lot of popularity and also attracted the interest of all kinds of scammers looking to take advantage of this expansion

With an innovative proposal, Axie Infinity is a blockchain-based “play to earn” video game that was released in early 2018 and experienced significant growth worldwide, mainly due to the explosion of non-fungible tokens, known as NFTs.

These are non-interchangeable data units that are stored in the blockchain and allow converting digital items into unique and unrepeatable, whose ownership can be demonstrated, transforming them into valuable items that can be traded.

Given its popularity and its direct link to money, Eset, a company specializing in proactive threat detection, analyzed the processes surrounding the game and its structures to determine its safety, and the ways to minimize the risks of those users who decide to start playing.

“To be able to play Axie Infinity it is necessary to obtain three characters called Axies directly linked to the user’s account, which implies investing more than 400 dollars,” he explained in his analysis, shared with iProfesional, Daniel Barbosa, Researcher at Eset Latin America.

Players can level up your characters and then market them for income in return. In addition, it is based on NFTs that can be bought and sold and that allows players to earn money.

“As always happens, any technology or digital activity that attracts a large mass of users is accompanied by cybercriminals willing to carry out their social engineering strategies to keep access credentials and money,” Barbosa warned.

The characters in the game are monsters called Axies and they can belong to nine types of classes. These Axies are NFT tokens sold within the “marketplace” of the game itself and their price varies according to a series of factors, such as the abilities that the monster has, how many times it has already been reproduced, etc.

There are a number of crypto assets present in the game. The main ones are the characters that are used to play, and two currencies that can be obtained in the game: the SLP and the AXS.

  • SLP | Smooth Love Potion: SLP is the most common currency in the game. It is possible to obtain it in battles with other players or passing the levels of the adventure mode. SLP is a crypto asset and can also be traded outside of the game.
  • AXS | Axie Infinity Shard: AXS is also a crypto asset that can be obtained in-game. AXS are worth much more than SLPs and are awarded as prizes to the top 300 in the game’s world rankings at the end of each season. Thus, as in any reward system, the higher the user is in the ranking, the greater the reward obtained within the game, being able to reach 500,000 AXS in the case of the first place. Like the crypto assets above, it can also be traded outside of the game.

“Despite being something that is indirectly related to security, the most obvious risk is that everything revolves around crypto assets and that these can fluctuate as much as the most popular cryptocurrencies, such as Bitcoin, for example, “said Barbosa.

As the game requires having at least three Axies and the cheapest is above $ 140 (0.04 Ethereum), “it is important to take into account that there may be a sudden devaluation and that the amount invested to start playing falls sharply,” he warned.

As a game or service receives “a lot of attention and significant amounts of money circulate (if you think about all the crypto assets present here), it is logical to think that cybercriminals are attracted and seek to carry out all kinds of frauds and scams to get part of that money. “reasoned the Eset executive.

Risks related to the accounts

As these are digital wallets, the risks associated with bank accounts Binance, Metamask y Ronin Wallet they are very relevant. If someone has access to them, they will have control over the money in these accounts and will be able to use it as they see fit.

The number of accounts implies a greater attack surface, which increases the chances of criminals to direct their deceptions. For example, the game has a very close link to Ronin’s wallet, and this can allow criminals to also have access to the Axies that have already been purchased in that wallet.

With that in mind, criminals will focus their efforts on compromising user accounts on these platforms, either through rogue apps posing as legitimate. This occurred with a fake Ronin Wallet app that was made available for download on the Playstore.

The application pretends to be the official wallet application used by the game and seeks to steal information and money from the victims. When briefly reviewing the description of the application, in Eset they observed that it has a very low rating and that the users themselves report in the comments that it is a fake application.

Another detail is that, despite its convincing appearance, the application’s contact information refers to a dominio .org, when the real domain of the company is a .com.

Axie Infinity is only distributed on PC and MacTherefore, there is no mobile version. On the official website of Sky Mavis, creator of Ronin Wallet, the company reports that the software for mobile devices will be released soon.

In the comments of the extension for Google Chrome Ronin Wallet users claim to have lost control of their accounts and have their axies stolen. Users had apparently downloaded a fake Ronin Wallet app.

Phishing in Axis

Phishing is another great threat that attacks Axie players and is one of the most used ways by criminals who create fake sites that impersonate the official site to deceive them and obtain personal information, such as the seed phrase or seed phrase for Ronin Wallet, or impersonating some other service such as Metamask, for example.

These hoaxes can circulate through platforms such as Discord, for example, where criminals pose as legitimate channels, through Google ads that lead to fake sites, or through social networks. Other examples of phishing attacks targeting Axie Infinity users:

  • Scholarships: As the cost to play Axie Infinity starts at over $ 400 and this makes access to the game unfeasible for most people, wealthier investors created scholarships. An account rental system in which the owner puts the money in and the renter comes in for a time available to play and get SLPs on a daily basis. Then they divide the winnings.
  • Risks of the online environment: Online games coexist with cybercriminals who seek to profit. In the case of scholarships, it may happen that the account administrator (owner of the axies) shares more information than necessary with the player who rents his account and this involves a risk.

If the admin gives access to the Ronin wallet to which the axies are linked, tenant can steal axies and other crypto assets that are linked to that account without major difficulties, so it is necessary for the administrator to properly study how this process can be carried out safely.

But the risks are not only for those who offer the scholarships. From Eset they observed that in some countries users interested in being selected for a scholarship share more information on social networks than they should, since in their eagerness to obtain an opportunity disclose personal information publicly, making them easy targets for scammers. Some cases even minors.

How to be protected

As explained in the official Axie Infinity account on Reddit, be clear that no one is offering Axies or SLP for free. If something like this is observed, it is probably a hoax.

No one from Axie Infinity technical support will contact you directly to help with a publicly reported problem. Also, be careful with any tool that requires entering the Ronin Wallet access credentials or sharing the seed phrase. In case of delivering this information, the scammer will have access to the wallet and will be able to empty it completely.

Other Eset recommendations that may also apply beyond Axie Infinity and be from useful in other settings of digital life, are the following:

Enable two-step authentication

When it comes to cryptocurrencies, it is common for Exchange, like Binance, natively offer the ability to implement double factor authentication. This provides an additional layer of security that minimizes the risk of someone improperly accessing our accounts.

Among the most common authentication options we have the possibility of receiving access tokens by email, SMS or apps like Google Authenticator, and the best thing is that some services allow them to be used simultaneously.

Use a password manager

Ideally, passwords should be long and complex to increase the difficulty in case attackers try to decipher them using some technique. To reduce the risk of forgetting or losing passwords, an administrator is of great help, since just by remembering a master password you can access all the keys stored for the different services.

Use unique passwords on all accounts

Never repeat a password in any type of service, especially in games. If the password for the Ronin and Metamask wallets It is the same as the game password, and someone gains access to one of these accounts, they will automatically have access to the others and the crypto assets linked to them.

Find information from official sources

Regardless of whether it is a new game or service, you should always look for information from reliable sources to know what should or should not download. In Axie’s case, the rogue app created by the criminals was from Ronin’s wallet, but it could have been from Metamask’s wallet, or even a fake app from the game itself. Always look for information on official sites about what you should and should not use / download.

Be careful with false emails or messages

As the popularity of the game increases, malicious phishing campaigns have been targeting players to steal information for financial gain. This occurs on various social platforms or mail.

Stay alert and never follow directions that arrive by email. If the company or service needs a change to be made to the system, the user is always instructed to access official sources to obtain information, either through the website or by telephone.

Install a security tool on devices

Many of the malware collect passwords in different ways, they manage to intercept the victim network communications and they even alter the content that goes directly into memory, which is often used to exchange cryptocurrency wallet addresses.

Not have a protection software installed, updated and configured to stop threats leaves you extremely vulnerable to any attack, so having a reliable solution is essential.

Leave a Comment