Biggest Crypto Hack Ever: over $600M Stolen from Axie Infinity’s Ronin Network

03/31/2022By: L, Laura

Crypto worth over $600 million has been stolen after a jaw-dropping attack targeting the Ronin Network — a gaming blockchain that plays an instrumental role in powering Axie Infinity.

 

In a blog post, developers confirmed that a 173,600 ETH and 25.5 million USDC was taken by hackers in two transactions.

 

At the time of writing, this stash is worth $614 million — narrowly making this incident the biggest crypto hack on record. This overtakes the $611 million that was stolen from PolyNetwork last summer, although it’s worth noting these funds were later returned.

 

Stressing that all remaining funds on the platform are safe, Ronin confirmed it is now “working with law enforcement officials, forensic cryptographers and our investors to make sure all funds are recovered or reimbursed.”

 

Ronin’s statement says that the compromise took place on March 23, but it was only discovered on March 29 — a full six days later:

“The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5,000 ETH from the bridge.”

 

Questions are also being raised about the safeguards that were in place to prevent such an attack from occurring. The Ronin chain consists of nine validator nodes — and signatures from five of them are required to initiate a deposit or a withdrawal.

 

According to the statement, “the attacker managed to get control over Sky Mavis’s four Ronin validators and a third-party validator run by Axie DAO.”

 

Although the validator threshold for withdrawals has now been raised to eight out of nine to mitigate against future attacks, critics will argue that this is too little, too late.

 

Positive Response

 

A look at the hacker’s wallet would show that the funds are still in his wallet. As well as working with Chainalysis to monitor the flow of stolen funds, developers have contacted major exchanges so they can halt linked transactions, too. Binance’s CEO Changpeng Zhao tweeted:

“Our team is in touch with Axie Infinity team providing assistance in tracking this issue.”

 

In a Q&A that asked whether Ronin is still safe to use, developers said:

“As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats. We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks.”

 

At the same time, the Ronin Bridge has been temporarily paused. Users remain unable to withdraw or deposit funds “to ensure no further attack vendors remain open,” but they have been assured that the bridge will be opened up at a later date once developers are certain no funds can be drained.

 

Axie Infinity has struck a defiant tone in the aftermath of the hack, tweeting:

“We are here to stay.”

 

In the immediate aftermath of the announcement, the value of Axie Infinity’s native token, AXS, has fallen rapidly from $70 to $64.30 — down 8%. The asset has lost over 7% of its value within the last one hour and is currently trading for $64.

 

Ronin, a token based on the blockchain of the same name, has fared even worse, plunging by 20% over the past 24 hours.