The Verge reports “A hacker stole $625 million from the blockchain behind NFT game Axie Infinity”:
Roughly $625 million worth of cryptocurrency has been stolen from Ronin, the blockchain underlying popular crypto game Axie Infinity. Ronin and Axie Infinity operator Sky Mavis revealed the breach on Tuesday and froze transactions on the Ronin bridge, which allows depositing and withdrawing funds from the company’s blockchain.
Sky Mavis says it’s working with law enforcement to recover 173,600 Ethereum (currently worth around $600 million) and 25.5 million USDC (a cryptocurrency pegged to the US dollar) from the culprit, who withdrew it from the network on March 23rd. The attack focused on the bridge to Sky Mavis’ Ronin blockchain, an intermediary between Axie Infinity and other cryptocurrency blockchains like Ethereum. Users could deposit Ethereum or USDC to Ronin, then purchase non-fungible token items or in-game currency, or they could sell their in-game assets and withdraw the money.
Axie Infinity is an online game developed in Vietnam which has become a fad in the Philippines. Wikipedia describes it as:
[A] non-fungible token-based online video game developed by Vietnamese studio Sky Mavis, known for its in-game economy which uses Ethereum-based cryptocurrencies.
Players of Axie Infinity collect and mint NFTs which represent axolotl-inspired digital pets known as Axies. These creatures can be bred and battled with each other within the game. Sky Mavis charges a 4.25% fee to players when they trade Axies on its marketplace
Here are some Axies.
The Verge continues:
According to Sky Mavis, the Ronin attack was possible partly because of a shortcut the company had taken to relieve an “immense user load” on its network in November of last year — months after the game exploded in popularity in the Philippines and other countries where players relied on it as a full-time job. The system was discontinued in December, but the permissions that allowed it were never revoked. In addition to compromising four of Sky Mavis’ own nodes, the attacker exploited them to get access to one managed by the community-owned Axie DAO. After compromising five of the nine validator nodes, the attacker could effectively override any transaction security and withdraw whatever funds they liked.
The theft was not discovered until almost a week after the perpetrator(s) had absconded with the funds, and only after somebody came back to well and tried to snatch another ETH 500 through the same mechanism. Sky Mavis says, “an attacker used hacked private security keys to compromise the network nodes that validate transfers to and from the Ronin blockchain. That let the attacker quietly withdraw large quantities of Ethereum and USDC.” No details were provided of how the keys were "hacked”, whether by a system security breach, insecure key generation, social engineering, inside job, or other means.
Most of the hacked Ethereum (ETH 175,913.7) remains in the perpetrator(s) wallet: 0x098B716B8Aaf21512996dC57EB0615e2383E2f96.