Hackers Steal $868 Million From Ronin Network in Largest Ever Crypto Theft

Hackers Steal $868 Million From Ronin Network in Largest Ever Crypto Theft
Axie characters from the play-to-earn NFT/crypto game Axie Infinity. (Image: Axie Infinity)

Hackers stole roughly $US625 ($868) million in cryptocurrency from the Ronin blockchain and the play-to-earn Axie Infinity video game network that operates on top of it, according to a disclosure from the Ronin Network late Tuesday. The hack is believed to be the biggest theft of cryptocurency in history.

The hack occurred on March 23, but wasn’t discovered until Tuesday, according to an explanation posted online by the Ronin Network. The hackers made off with about 173,600 ether, the second most popular crypto coin behind bitcoin, and 25.5 million USDC, a stablecoin pegged to the U.S. dollar.

The hacker’s crypto wallet, which is available to view on Etherscan, shows that most of the funds haven’t been moved since they were extracted from the Ronin Network. But there’s evidence the hacker is trying to move tiny amounts of crypto in several transactions, perhaps a way to figure out what avenue might be safe for extracting the wealth.

Ronin explained in a substack post that the hackers were able to gain control of five of the nine validator nodes on the network.

From Ronin’s explanation on Tuesday:

Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognise a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO.

The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.

Axie Infinity’s play-to-earn model of gaming is incredibly controversial for being exploitative. Yes, people can earn crypto by playing games, but there’s often a high barrier to entry. In the case of Axie Infinity, users first have to buy NFTs of digital creatures called Axies. Users have to buy at least three Axies, the cheapest of which can cost more than $US80 ($111) each. The most expensive Axie ever sold was $US820,000 ($1,138,324).

Roughly 35% of Axie Infinity’s traffic last year was from the Philippines, where popularity of the game exploded as a way to earn money during covid-19 pandemic lockdowns. The AFP recently reported on a man in the Philippines who makes between $US150 ($208) and $US200 ($278) per month, about half of his monthly salary as a content moderator.

Curiously, people who are tracking the stolen crypto have noticed some of it is travelling through traditional crypto exchanges. The move is highly unusual, because traditional exchanges can theoretically freeze the funds and not allow the crypto to be cashed out for fiat currency.

More typically, hackers will use services like Tornado Cash, which is an ethereum “mixer” that makes it hard to trace where the money originated. Hackers who nabbed $US34 ($47) million in crypto from Crypto.com back in January used Tornado Cash to launder their funds.