Ronin's Axie Infinity logo (l) Hands with gloves stealing bitcoins (r)

JOCA_PH/Shutterstock LightField Studios/Shutterstock (Licensed)

Hackers steal $625 million in crypto from blockchain-based game Axie Infinity

It's one of the largest cryptoheists to date.


Jacob Seitz


Posted on Mar 29, 2022   Updated on Apr 11, 2022, 3:47 pm CDT

Roughly $625 million worth of cryptocurrency was stolen from Ronin Network, an Ethereum-linked sidechain used for the popular NFT-based game Axie Infinity, according to a statement Tuesday.

According to the statement, the Ronin bridge, which connects the Ronin blockchain to other cryptocurrencies like Ethereum, was exploited for 173,600 Ethereum and 25.5 million USDC, a digital currency linked directly to the U.S. dollar. The Ronin bridge allowed users to deposit Ethereum or USDC to Ronin, then purchase NFTs or in-game currency. Users could also sell their in-game assets and withdraw money using the bridge.

Sky Mavis, which operates Axie, said they are working with law enforcement and government agencies to recover the stolen funds and bring the hackers to justice. Since the hack, Ronin’s network has been locked, effectively stopping new players from entering the game or buying in-game items. The hack and subsequent freeze puts the future of current users’ funds into question since users cannot withdraw any of their in-game money.

The hack exploited validator nodes, a feature of some cryptocurrencies that is a faster and more efficient means of computing transactions. Using a smaller number of nodes can be great for speed, but if a majority of the nodes are compromised, it becomes a major security risk. Sky Mavis announced they would be upping the threshold of validator nodes that need to sign off on transactions in the hopes that this improves security and prevents future hacks.

The Ronin hack was possible in part because of a shortcut the company itself created last year due to an “immense user load.” The shortcut allowed users to more readily send and receive funds, and was discontinued in December. However the permissions that the shortcut allowed were never revoked. After exploiting five out of the eight nodes, the attacker could approve any transactions and withdraw whatever money they wanted.

The Ronin hack appears to be either the largest or second-largest hack to date of a decentralized finance network and comes on the heels of the Wormhole bridge hack last month where $322 million was stolen.

“As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats,” the company said in the statement. “We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks.”

Read more of the Daily Dot’s tech and politics coverage

Nevada’s GOP secretary of state candidate follows QAnon, neo-Nazi accounts on Gab, Telegram
Court filing in Bored Apes lawsuit revives claims founders built NFT empire on Nazi ideology
EXCLUSIVE: ‘Say hi to the Donald for us’: Florida police briefed armed right-wing group before they went to Jan. 6 protest
Inside the Proud Boys’ ties to ghost gun sales
‘Judas’: Gab users are furious its founder handed over data to the FBI without a subpoena
EXCLUSIVE: Anti-vax dating site that let people advertise ‘mRNA FREE’ semen left all its user data exposed
Sign up to receive the Daily Dot’s Internet Insider newsletter for urgent news from the frontline of online.
Share this article
*First Published: Mar 29, 2022, 2:42 pm CDT