The Ronin Hacker Made Off With $625M of Crypto, but Cashing Out Isn’t So Easy

It’s difficult for any crypto hacker to escape with a large amount of stolen funds, industry watchers say


Blockworks Exclusive art by axel rangel


key takeaways

  • Blockchain transparency makes it hard to pull off large-scale cryptocurrency theft, according to blockchain data firm Chainalysis
  • Axie Infinity co-founder Aleksander Leonard Larson tweeted Wednesday that several new validators would be added to the Ronin network

For the hacker who recently exploited the Ronin Network for roughly $625 million, cashing out the funds will likely be a challenge.

The Ethereum-linked sidechain used for blockchain game Axie Infinity was attacked last week, when the person or group responsible made off with 173,600 ether and 25.5 million USDC.

The exploiter used hacked private keys to forge withdrawals on March 23, according to a Tuesday statement. The breach was discovered nearly a week later when a user was unable to withdraw 5,000 ETH.

The hackers have tried to sell about 6,500 stolen ETH, transferring the tokens to three different exchanges, according to William Quigley, co-founder of stablecoin Tether and non-fungible token (NFT) blockchain platform WAX. All of the stolen USDC has been transferred out to various wallets and DeFi protocols, Etherscan data shows.

Most of the funds remain in the hacker’s wallet, according to the network. Aleksander Leonard Larson, co-founder and chief operating officer of Axie Infinity, tweeted Wednesday that Axie is committed to ensuring all of the drained funds are recovered or reimbursed.

“Been an intense 36 hours,” Larson tweeted. “Our internal network is currently going through a deep forensics review to ensure there is no lingering threat.”

Selling the remaining 176,000 or so ETH will be difficult, Quigley told Blockworks, adding that the address has been blacklisted to exchanges.

“Sky Mavis has also retained Chainalysis to ensure that any of the stolen ETH moved from this Ethereum address will be tracked,” he said. “It doesn’t seem like the hacker will have much luck cashing out.”

Kim Grauer, Chainalysis’ director of research, said the Poly Network hack in August and subsequent return of funds illustrated the rising difficulty of pulling off a large-scale cryptocurrency theft.

While criminally obtained fiat currency can be moved through “shady bank accounts” — and authorities rely on subpoenas and the cooperation of financial institutions to trace its path — Grauer said anyone can view transactions executed on public blockchains.

“With the inherent transparency of blockchains and the eyes of an entire industry on them, it’s difficult for any cryptocurrency hacker to escape with a large cache of stolen funds,” Grauer said. “In most cases, the best they could hope for would be to evade capture as the funds sit frozen in a blacklisted private wallet.”

How did it happen and what’s next?

Illicit crypto transactions reached $14 billion last year, according to a February Chainalysis report. Though that marks an all-time high, illicit activity in terms of total crypto transaction volume has never been lower, as the market capitalization of digital assets grew in 2021.

The latest hack was an outlier, Quigley said, in that it occurred in part because a single entity, Sky Mavis, controlled four of the Ronin’s chain’s nine validator nodes. The hacker gained control of a fifth node — good for a majority — run by Axie DAO.

Larson called the hack “a social engineering attack combined with a human error” in a Wednesday tweet, adding that Ronin plans to add additional validators to boost decentralization. 

The fact that several days passed before the public became aware is rare and “surprising,” Quigley said.

“Most people did not appear to know that Axie Infinity ran its own layer-2 blockchain on top of Ethereum,” he said. “People playing Axie Infinity or providing liquidity to Ronin’s decentralized exchange, Katana, might have been more circumspect about depositing hundreds of millions of dollars on the Ronin Bridge if they knew Axie Infinity managed the passwords to five of the nine Ronin validator nodes.”

Layer-2 chains are inherently more vulnerable because the attack vectors double when you operate atop another chain, Quigley said. Exploits can be operational — when the parties running a system don’t have robust security practices — or code-related.

“Large complex systems, like fully featured layer-2 based blockchain games with hooks into other third-party platforms, is a vastly more challenging system to audit,” he said, noting the operational nature of the Ronin hack.

As more value flows through cross-chain bridges, they’re becoming increasingly attractive targets for hackers, according to Grauer. Though the Ronin case involved hacked private keys, many DeFi (decentralized finance) hacks are attributed to code vulnerabilities. 

“While not foolproof, a valuable first step towards addressing issues like this could be for extremely rigorous code audits to become the gold standard, both for those building protocols and for the investors evaluating them,” Grauer said. “Over time, the strongest, safest smart contracts can serve as templates for developers to build from.”

Get the day’s top crypto news and insights delivered to your email every evening. Subscribe to Blockworks’ free newsletter now.

Want alpha sent directly to your inbox? Get degen trade ideas, governance updates, token performance, can’t-miss tweets and more from Blockworks Research’s Daily Debrief.

Can’t wait? Get our news the fastest way possible. Join us on Telegram and follow us on Google News.


upcoming event

MON - WED, MARCH 18 - 20, 2024

Digital Asset Summit (DAS) is returning March 2024. This year’s event will be held in our nation’s capital, where industry leaders, policymakers, and institutional experts will come together to discuss the latest developments and challenges in the ever-evolving world of cryptocurrency. […]

upcoming event

MON - WED, SEPT. 11 - 13, 2023

2022 was a meme.Skeptics danced, believers believed.Eventually, newcomers turned away, drained of liquidity and hope.Now, the tide is shifting and it’s time to rebuild. Permissionless II is the brainchild of Blockworks and Bankless. It’s not just a conference, but a call […]

recent research

Curve's Stablecoin and Lending Market


AMMs are at the root of everything elegant and useful in DeFi.That's why Curve put LLAMMA at the center of its lending protocol.



Given the impressive growth trajectory and unpredictable future of crypto markets, the potential systemic risks cannot be dismissed, the board said


Five years after the ICO boom and bust, the notion of traditional finance assets existing on the blockchain is not nearly as far fetched


The Fahrenheit Consortium beat out competing offers from Novawulf and BRIC


A research paper modeled the reliability and carbon footprint of crypto mining in Texas


Bring in the next million developers, and then we can start worrying about where to find the next billion users



Web3 real estate investing platform Parcl leverages blockchain to address the current bottlenecks facing property investing