Largest Crypto Hack Ever Nabs $625 Million From Ronin Network
Hackers Steal $625 Million From Ronin Network in Largest Ever Crypto Theft
Nobody at Ronin noticed the theft of over $600 million in ether for six days.
ByMatt Novak
PublishedMarch 30, 2022
Comments (25)
Axie characters from the play-to-earn NFT/crypto game Axie Infinity.
Axie characters from the play-to-earn NFT/crypto game Axie Infinity.
Image: Axie Infinity
Hackers stole roughly $625 million in cryptocurrency from the Ronin blockchain and the play-to-earn Axie Infinity video game network that operates on top of it, according to a disclosure from the Ronin Network late Tuesday. The hack is believed to be the biggest theft of cryptocurency in history.
The hack occurred on March 23, but wasn’t discovered until Tuesday, according to an explanation posted online by the Ronin Network. The hackers made off with about 173,600 ether, the second most popular crypto coin behind bitcoin, and 25.5 million USDC, a stablecoin pegged to the U.S. dollar.
Related Stories
Clever Hacker Finds the Perfect Way to Creatively Vandalize London's Knightrider Court
Hey Google, Where Did My Watch's Battery Life Go?
New Chatbot Is Coming to Chinese Internet Company Baidu
The hacker’s crypto wallet, which is available to view on Etherscan, shows that most of the funds haven’t been moved since they were extracted from the Ronin Network. But there’s evidence the hacker is trying to move tiny amounts of crypto in several transactions, perhaps a way to figure out what avenue might be safe for extracting the wealth.
Ronin explained in a substack post that the hackers were able to gain control of five of the nine validator nodes on the network.
From Ronin’s explanation on Tuesday:
Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO.
The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.
Axie Infinity’s play-to-earn model of gaming is incredibly controversial for being exploitative. Yes, people can earn crypto by playing games, but there’s often a high barrier to entry. In the case of Axie Infinity, users first have to buy NFTs of digital creatures called Axies. Users have to buy at least three Axies, the cheapest of which can cost more than $80 each. The most expensive Axie ever sold was $820,000.
Roughly 35% of Axie Infinity’s traffic last year was from the Philippines, where popularity of the game exploded as a way to earn money during covid-19 pandemic lockdowns. The AFP recently reported on a man in the Philippines who makes between $150 and $200 per month, about half of his monthly salary as a content moderator.
Curiously, people who are tracking the stolen crypto have noticed some of it is traveling through traditional crypto exchanges. The move is highly unusual, because traditional exchanges can theoretically freeze the funds and not allow the crypto to be cashed out for fiat currency.
More typically, hackers will use services like Tornado Cash, which is an ethereum “mixer” that makes it hard to trace where the money originated. Hackers who nabbed $34 million in crypto from Crypto.com back in January used Tornado Cash to launder their funds.
Nobody at Ronin noticed the theft of over $600 million in ether for six days.
ByMatt Novak
PublishedMarch 30, 2022
Comments (25)
Axie characters from the play-to-earn NFT/crypto game Axie Infinity.
Axie characters from the play-to-earn NFT/crypto game Axie Infinity.
Image: Axie Infinity
Hackers stole roughly $625 million in cryptocurrency from the Ronin blockchain and the play-to-earn Axie Infinity video game network that operates on top of it, according to a disclosure from the Ronin Network late Tuesday. The hack is believed to be the biggest theft of cryptocurency in history.
The hack occurred on March 23, but wasn’t discovered until Tuesday, according to an explanation posted online by the Ronin Network. The hackers made off with about 173,600 ether, the second most popular crypto coin behind bitcoin, and 25.5 million USDC, a stablecoin pegged to the U.S. dollar.
Related Stories
Clever Hacker Finds the Perfect Way to Creatively Vandalize London's Knightrider Court
Hey Google, Where Did My Watch's Battery Life Go?
New Chatbot Is Coming to Chinese Internet Company Baidu
The hacker’s crypto wallet, which is available to view on Etherscan, shows that most of the funds haven’t been moved since they were extracted from the Ronin Network. But there’s evidence the hacker is trying to move tiny amounts of crypto in several transactions, perhaps a way to figure out what avenue might be safe for extracting the wealth.
Ronin explained in a substack post that the hackers were able to gain control of five of the nine validator nodes on the network.
From Ronin’s explanation on Tuesday:
Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO.
The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.
Axie Infinity’s play-to-earn model of gaming is incredibly controversial for being exploitative. Yes, people can earn crypto by playing games, but there’s often a high barrier to entry. In the case of Axie Infinity, users first have to buy NFTs of digital creatures called Axies. Users have to buy at least three Axies, the cheapest of which can cost more than $80 each. The most expensive Axie ever sold was $820,000.
Roughly 35% of Axie Infinity’s traffic last year was from the Philippines, where popularity of the game exploded as a way to earn money during covid-19 pandemic lockdowns. The AFP recently reported on a man in the Philippines who makes between $150 and $200 per month, about half of his monthly salary as a content moderator.
Curiously, people who are tracking the stolen crypto have noticed some of it is traveling through traditional crypto exchanges. The move is highly unusual, because traditional exchanges can theoretically freeze the funds and not allow the crypto to be cashed out for fiat currency.
More typically, hackers will use services like Tornado Cash, which is an ethereum “mixer” that makes it hard to trace where the money originated. Hackers who nabbed $34 million in crypto from Crypto.com back in January used Tornado Cash to launder their funds.
