Hackers Steal $600 Million In One Of The Biggest Crypto Heists To Date

In what is being hailed as one of the biggest cryptocurrency hacks of all time, an unknown hacker managed to steal crypto assets worth more than $600 million in Ethereum and USDC coins. The target was Ronin, an independent blockchain made by Singapore's Sky Mavis for Axie Infinity, which happens to be one of the most popular crypto-focused games out there. 

Axie Infinity and Sky Mavis' co-founder tweeted earlier today that this was a social engineering attack and that the company is focused on recovering all of the lost funds to reimburse affected users. The theft was executed last week, and it was only detected after a user reported an inability to withdraw 5,000 Ethereum coins from the Ronin bridge.

For folks unfamiliar with the concept, a bridge allows users to convert their crypto tokens into another denomination so they can be used elsewhere. In this case, the attacker targeted the Ronin bridge, which lets users deposit Ethereum and USDC coins to Ronin's network, transform them into coins that can be used in Axie Infinity, and sell in-game assets to withdraw the monetary value. 

The official Ronin newsletter on Substack says the bad actor stole 173,000 Ethereum and 25.5 million USDC, but most of the funds are still in the hacker's wallet. Detailing the modus operandi, Ronin says the hacker exploited its fund validation system.

Big heist, even bigger worries

The Ronin sidechain has 9 validator nodes, and in order to deposit or withdraw funds, approval of at least 5 validators is mandatory. The hacker stole private keys — the special password required for crypto transactions — belonging to four of Ronin's validators and got the fifth one from a validator run by Axie DAO

The attacker got them via a backdoor in Sky Mavis' gas-free RPC node. In the wake of the theft, Ronin says it has tweaked the validation threshold to eight out of nine signatures in order to discourage any such incidents in the future. The funds were stolen via two transactions, both of which have been logged by Etherscan.

Sky Mavis says it is working with law enforcement officials and major crypto exchanges such as Binance and Huobi to recover the lost funds and nab the culprit. However, it appears the hacker will have a hard time getting away with the stash valued at over $600 million. Experts talking to CoinDesk say the hacker deposited the funds using centralized exchanges such as Huobi and FTX, which have stringent identity verification protocols in place. 

To put it simply, the hacker risks getting their identity revealed with further moves as these exchanges comply with regulatory norms. And even with indirect laundering and shady exchange points available, moving a sum as large as $600 million without being traced is going to be a massive challenge. Last year, the hacker behind the $611 million Poly Network theft returned the funds.