Thousands, if not millions, of people could have lost money in the second largest crypto hack in history.
Ronin Network, a key platform powering the popular mobile game Axie Infinity, has had $615 million stolen.
In the game, players fight cartoon pets called Axies to earn cryptocurrency. The game is hugely popular with millions of players around the world hoping to win cryptocurrency and collect the game’s non-fungible tokens (NFTs). It is particularly big in the Philippines, where playing has become a full-time and potentially lucrative job.
Ronin Network, which is owned by Vietnamese parent company Sky Mavis, allows players to exchange the digital coins they earn in Axie Infinity with other cryptocurrencies such as Ethereum.
It says a hacker transferred $540 million worth of cryptocurrency to themselves six days ago, but the company only noticed on Tuesday when a customer was unable to withdraw their funds.
The stolen stash has since risen in value with the price of cryptocurrencies to be worth about $615 million. It’s just the latest in a string of mass crypto heists in the last year totalling well over $2 billion.
The sequence of events around the hack tells us a lot about the perils of cryptocurrency and decentralized finance.
Will customers get their money back?
Ronin Network says it is “working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed”.
In the meantime, it has only put out one statement on its newsletter service Substack, and has taken its website offline.
It has also disabled comments on its company posts on social media, and the BBC has not had any replies from the many requests for comment sent to company bosses.
Ronin Network has not yet told customers what’s happening with their funds or when they will get their money back. In most cases of mass crypto hacks, customers are reimbursed in some way, but it can take months or years.
Cryptocurrency writer David Canellis, from Protos, says direct communication with cryptocurrency companies is notoriously poor.
“When you’re dealing with entities that are handling more than half a billion dollars you’d expect a little bit more avenues and openness to communication – especially when there has been such a lapse in security around this hack.
“But then again, one primary tenet of the ecosystem is that anyone at all can launch their own projects, and there should be no barriers to this.”
How it happened
Ronin Network says that the hack started in November 2021, when Axie Infinity’s user base swelled to an unsustainable size.
The company said the influx of players caused “immense user load,” which forced it to loosen security procedures to cope with the increased demand.
It says that things calmed down in December, but that it forgot to retighten its security, and the hackers took advantage of the backdoor left open.
Economist and author Frances Coppola says: “This is pretty typical of crypto companies.
“We’ve seen so many hacks and exploits caused by – to be blunt – frank carelessness and lack of concern for the safety of people’s funds.
“Crypto companies are sometimes so anxious to make ‘loadsamoney’, or simply accommodate high demand, that they put out badly designed and tested code, compromise security, or place too much reliance on infrastructure.”
The five largest-ever cryptocurrency hacks:
Figures from cryptocurrency analysis company Elliptic, based on the dollar value at time of hack:
- $325 million – Wormhole, February 2022
- $470 million – Mt Gox, February 2014.
- $532 million – Coincheck, January 2018
- $540 million – Ronin Bridge, March 2022.
- $611 million – Poly Network, August 2021
Why does this keep happening?
Experts say cryptocurrency is increasingly being seen as low hanging fruit by hackers.
Cryptocurrency companies are “huge honeypots for hackers,” says Tom Robinson, of Elliptic.
“Crypto transactions are irreversible, so if a hacker can get their hands on it, it’s very difficult for anyone to retrieve it,” he says.
Robinson said it is also attractive because huge pay days are possible without the extra hassle of cybercrime like ransomware, where criminals have to negotiate with hacked companies.
It’s not known who is behind this latest hack, but it is not necessarily cyber criminals out to make money for themselves. For example, state-sponsored hackers have been identified as the culprits behind some crypto heists.
According to cryptocurrency researchers at Chainalysis, North Korean hackers stole almost $400 million worth of digital assets in at least seven attacks on cryptocurrency platforms last year.