Axie Infinity's Ronin Network hit with $600m crypto hack

Axie Infinity allows people to catch and trade 'Axies', which themselves are NFTs, and earn cryptocurrency while doing so

Image:

Axie Infinity allows people to catch and trade 'Axies', which themselves are NFTs, and earn cryptocurrency while doing so

Hackers stole about $600 million worth of cryptocurrency in an on Ronin Network, a platform powering one of the world's most popular NFT video games, Axie Infinity.

Axie Infinity is a Pokémon-like game where players produce and combat digital monsters called 'Axies' that are tied to non-fungible tokens (NFTs). Players can also earn cryptocurrency, which can then be exchanged on select cryptocurrency exchanges outside of the game.

The game is particularly popular in Asia, especially Indonesia, but it has players around the world - many of whom have been affected by the attack on Ronin Network.

The hack was discovered on the 23rd March, but Ronin and Axie Infinity operator Sky Mavis waited nearly a week, to the 29th March, to announce it.

The Vietnamese company froze transactions on the Ronin Bridge after it detected the hack.

The hack targeted the Ronin Network, which serves as a bridge between Axie Infinity and cryptocurrency blockchains like Ethereum, enabling players to deposit and withdraw funds in and out of the game.

According to a blog post on the Ronin Network's official Substack, an attacker used compromised private security keys to breach the network nodes that authenticate transfers to and from the Ronin blockchain.

The hack began back in November 2021, when a massive influx of new players forced the company to loosen security procedures to cope with the increased demand.

After the situation calmed down in December, it forgot to retighten its security and left itself vulnerable.

The attacker commandeered five validator nodes on the blockchain, out of a total of nine, and used them to steal cash: 173,600 Ether and 25.5 million USDC tokens, totalling approximately $540 million - although the value has since risen to around $615 million.

Ronin Network said the hacker discovered 'a backdoor via our gas-free RPC node,' which they used to get the signature for the Axie DAO (decentralised autonomous organisation) validator.

The unauthorised transactions were discovered on Tuesday when a user tried to withdraw 5,000 Ethereum.

The attacker generated a new Ethereum address one week ago, after acquiring ETH from the Binance cryptocurrency exchange, according to data from the Etherscan.

Although 6,250 ETH has been moved to other locations, the bulk of the funds remain in the new address.

Sky Mavis is working with forensic cryptologists, law enforcement agencies and the company's investors. COO Aleksander Larsen told Bloomberg that the firm would reimburse gamers who have lost funds as a result of the breach.

The Ronin hack appears to be one of the largest cryptocurrency heists to date, after the Poly Network hack last year.

A hacker stole around $611 million worth of cryptocurrency from Poly Network in August 2021, although the money was later returned to the firm. The hacker said their aim was not to steal money but to expose a security vulnerability in Poly Network before it was exploited by "an insider".