Published on: 30/03/2022

Hacker steals $625M worth of crypto from Ronin, developer behind NFT game Axie Infinity

Biggest play-to-earn NFT game Axie Infinity operator Sky Mavis announced Tuesday, that an unidentified hacker stole $625 million worth of cryptocurrency from Ronin, the blockchain underlying Axie Infinity. Sky Mavis said it froze transactions on the Ronin bridge following the incident.

The company said it was working with law enforcement to recover $600 million worth of Ethereum and 25.5 million worth of US dollar-pegged cryptocurrency USDC. The hacker withdrew the assets on March 23rd after launching an attack on the bridge to Sky Mavis’ Ronin blockchain, which acts as an intermediary between Axie Infinity and other cryptocurrency blockchains, including Ethereum.

Axie Infinity is a Pokémon-inspired monster breeding where players raise an Axie and breed it. There will then be born a whole new generation of Axies with traits being inherited from their parents. Axies can be traded both on NFT marketplaces and in the game. Rare breeds of Axies can earn the player a huge amount of money.

How it happens

Sky Mavis said the hacker compromises the network nodes that validate transfers to and from Ronin by using hacked private security keys, allowing the attacker to withdraw a huge amount of Ethereum and USDC quietly. The transfer was discovered almost one week after the incident after a user made a withdrawal attempt of 5,000 Ethereum through the bridge.

Despite the incident, the Axie NFT tokens that players must purchase in order to play Axie Infinity were unaffected. The same applies to the SLP and AXS in-game cryptocurrencies, which are used in battling and breeding in-game creatures.

However, many new players have been locked out of the game due to the freezing of withdrawals and deposits. The incident also led many players to question the safety of their assets stored in the blockchain. Sky Mavis, meanwhile, said it was “working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds”, adding that it was its “top priority”.

Sky Mavis blamed the attack on a shortcut the company took in November 2021 to relieve an “immense user load” on its network due to Axie Infinity gaining sudden popularity in the Philippines and other countries, with players relying on the game as their main source of income.

Despite the shortcut being discontinued in December last year, the permissions that allowed it to be taken were not revoked. This led to the hacker being able to compromise the system’s validator nodes. The attacker also used the security hole to compromise another validator node that was managed by the community-owned Axie DAO.

At that point, five of the nine validator nodes had been compromised, the hacker then was able to withdraw however many crypto assets he wanted

“As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats,” the company said in its announcement.

“We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks.”