Hackers steal $814 million in one of the biggest crypto heists

A blockchain network connected to the Axie Infinity online game was hacked on March 23, 2022. PHOTO: ST FILE

PORTLAND, Oregon (BLOOMBERG) - Hackers stole about US$600 million (S$814 million) from a blockchain network connected to the popular Axie Infinity online game in one of the biggest crypto attacks to date.

Computers known as nodes operated by Axie Infinity maker Sky Mavis and the Axie DAO that support a so-called bridge - software that lets people convert tokens into ones that can be used on another network - were attacked, with the hacker draining what's known as the Ronin Bridge of 173,600 Ether and 25.5 million USDC tokens in two transactions.

The breach happened on March 23 but was discovered only on Tuesday (March 29), according to Ronin, the blockchain that supports Axie Infinity.

The attack is the latest to show that bridges are often rife with problems. The computer code of many is not audited, allowing hackers to exploit vulnerabilities. It is often unclear who runs them and exactly how. Identities of validators, who are supposed to order transactions on bridges, are often shrouded in mystery.

And yet there are thousands of bridges out there, and they move hundreds of million of dollars worth of crypto.

"The fact that nobody notices for six days screams aloud that some structure should be in place to watch illicit transfers," said Mr Wilfred Daye, head of Securitize Capital, the asset management arm of Securitize.

The price of Ron, a token used on the Ronin blockchain, dropped about 22 per cent after the hack was disclosed. AXS, a token used in Axie Infinity, fell as much as 11 per cent, according to CoinMarketCap.

In its blog, Ronin said it is in touch with major cryptocurrency exchanges and with blockchain tracer Chainalysis to monitor the movement of the stolen funds. Ronin also said it is working with law enforcement. Ronin did not immediately return requests for comment.

The stolen funds went to two cryptocurrency exchanges, according to blockchain forensics firm Elliptic. Several exchanges acknowledged the hack without confirming that the funds had been moved there.

Mr Sam Bankman-Fried, who runs the FTX cryptocurrency exchange, said in an e-mail that it would assist on the blockchain forensics. Binance Holdings and OKX issued similar statements, with Binance also saying it is "working with certain law enforcement agents on potential leads", without giving details.

Validator breach

The Ronin hack follows the February attack on the Wormhole bridge, which resulted in more than US$300 million in losses that one of Wormhole's sponsors, Jump Crypto, reimbursed. Other crypto bridges have suffered from so-called rug pulls, when their founders disappeared, and had issues when their key developers went rogue.

"If a bridge has the ability to mint tokens, it's like taking control of the minting machines," Mr Yat Siu, co-founder of Animoca Brands, an investor in gaming studio Sky Mavis, said in an interview before the hack. "Bridges are authorities at this point, and if they are designed badly or have vulnerabilities, they become a huge risk to the ecosystem."

To save the entire Solana ecosystem from a direct hit, Jump Crypto bailed out Wormhole last month. Sky Mavis and Ronin have not announced any similar plans yet.

Join ST's Telegram channel and get the latest breaking news delivered to you.