The blockchain network Ronin, which powers the popular play-to-earn game Axie Infinity, suffered an attack that saw $625 million of ether and USDC vanish in the most extensive digital heist so far.
- Axie Infinity is like Pokemon, but instead of cards, you play with NFTs. You can collect, train and breed Axies for battle and then sell them for a profit. Some Axies have sold for as much as $600,000.
What happened: Axie Infinity’s blockchain network was exploited on March 23, when the hacker gained control of validator nodes that allowed them to approve two transactions that transferred 173,600 ether and 25.5 million in USDC into their wallet.
- Transactions are approved via five of nine validator signatures, and the attacker used “hacked private keys in order to forge fake withdrawals.”
The exciting element of this story is that the hacker seems to be a dog chasing cars and doesn’t seem to know what to do with the funds now that they have them. Their first move— putting some of the stolen cryptocurrency on a centralized exchange—was likely a judgment error.
- Centralized exchanges like FTX and Crypto.com have know-your-customer (KYC) verification systems that could reveal their identity.
- Using a centralized exchange while trying to launder stolen crypto is akin to adding a dye pack to a bag of cash you just pulled from a bank safe. It will be tough to spend that ink-stained money without people having questions.
- Some experts speculate that the hacker isn’t in it for the money but simply to prove that they could because, after all, $600 million is a lot to liquidate and launder.
Why it matters: The exploitation of Ronin’s validation protocols highlights the vulnerability of “bridges,” a way to transfer tokens from one network to another. The Ethereum linked “sidechain” can offer lower fees and faster transactions due to its validator structure but loses the security of a more extensive network.
- “The fact that nobody notices for six days screams aloud that some structure should be in place to watch illicit transfers,” Wilfred Daye, head of Securitize Capital, told Bloomberg.