The Ronin Hacker Made Off With $625M of Crypto, but Cashing Out Isn’t So Easy

It’s difficult for any crypto hacker to escape with a large amount of stolen funds, industry watchers say

article-image

Blockworks Exclusive art by axel rangel

share

key takeaways

  • Blockchain transparency makes it hard to pull off large-scale cryptocurrency theft, according to blockchain data firm Chainalysis
  • Axie Infinity co-founder Aleksander Leonard Larson tweeted Wednesday that several new validators would be added to the Ronin network

For the hacker who recently exploited the Ronin Network for roughly $625 million, cashing out the funds will likely be a challenge.

The Ethereum-linked sidechain used for blockchain game Axie Infinity was attacked last week, when the person or group responsible made off with 173,600 ether and 25.5 million USDC.

The exploiter used hacked private keys to forge withdrawals on March 23, according to a Tuesday statement. The breach was discovered nearly a week later when a user was unable to withdraw 5,000 ETH.

The hackers have tried to sell about 6,500 stolen ETH, transferring the tokens to three different exchanges, according to William Quigley, co-founder of stablecoin Tether and non-fungible token (NFT) blockchain platform WAX. All of the stolen USDC has been transferred out to various wallets and DeFi protocols, Etherscan data shows.

Most of the funds remain in the hacker’s wallet, according to the network. Aleksander Leonard Larson, co-founder and chief operating officer of Axie Infinity, tweeted Wednesday that Axie is committed to ensuring all of the drained funds are recovered or reimbursed.

“Been an intense 36 hours,” Larson tweeted. “Our internal network is currently going through a deep forensics review to ensure there is no lingering threat.”

Selling the remaining 176,000 or so ETH will be difficult, Quigley told Blockworks, adding that the address has been blacklisted to exchanges.

“Sky Mavis has also retained Chainalysis to ensure that any of the stolen ETH moved from this Ethereum address will be tracked,” he said. “It doesn’t seem like the hacker will have much luck cashing out.”

Kim Grauer, Chainalysis’ director of research, said the Poly Network hack in August and subsequent return of funds illustrated the rising difficulty of pulling off a large-scale cryptocurrency theft.

While criminally obtained fiat currency can be moved through “shady bank accounts” — and authorities rely on subpoenas and the cooperation of financial institutions to trace its path — Grauer said anyone can view transactions executed on public blockchains.

“With the inherent transparency of blockchains and the eyes of an entire industry on them, it’s difficult for any cryptocurrency hacker to escape with a large cache of stolen funds,” Grauer said. “In most cases, the best they could hope for would be to evade capture as the funds sit frozen in a blacklisted private wallet.”

How did it happen and what’s next?

Illicit crypto transactions reached $14 billion last year, according to a February Chainalysis report. Though that marks an all-time high, illicit activity in terms of total crypto transaction volume has never been lower, as the market capitalization of digital assets grew in 2021.

The latest hack was an outlier, Quigley said, in that it occurred in part because a single entity, Sky Mavis, controlled four of the Ronin’s chain’s nine validator nodes. The hacker gained control of a fifth node — good for a majority — run by Axie DAO.

Larson called the hack “a social engineering attack combined with a human error” in a Wednesday tweet, adding that Ronin plans to add additional validators to boost decentralization. 

The fact that several days passed before the public became aware is rare and “surprising,” Quigley said.

“Most people did not appear to know that Axie Infinity ran its own layer-2 blockchain on top of Ethereum,” he said. “People playing Axie Infinity or providing liquidity to Ronin’s decentralized exchange, Katana, might have been more circumspect about depositing hundreds of millions of dollars on the Ronin Bridge if they knew Axie Infinity managed the passwords to five of the nine Ronin validator nodes.”

Layer-2 chains are inherently more vulnerable because the attack vectors double when you operate atop another chain, Quigley said. Exploits can be operational — when the parties running a system don’t have robust security practices — or code-related.

“Large complex systems, like fully featured layer-2 based blockchain games with hooks into other third-party platforms, is a vastly more challenging system to audit,” he said, noting the operational nature of the Ronin hack.

As more value flows through cross-chain bridges, they’re becoming increasingly attractive targets for hackers, according to Grauer. Though the Ronin case involved hacked private keys, many DeFi (decentralized finance) hacks are attributed to code vulnerabilities. 

“While not foolproof, a valuable first step towards addressing issues like this could be for extremely rigorous code audits to become the gold standard, both for those building protocols and for the investors evaluating them,” Grauer said. “Over time, the strongest, safest smart contracts can serve as templates for developers to build from.”


Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

recent research

kamino cover.jpg

Research

Kamino has solidified its position as the leading money market on Solana and is emerging as a DeFi bluechip. Although DeFi competition is fierce, Kamino has kept iterating on its product to provide the best-in-class UX, paired with a robust risk management framework and battle-tested infrastructure. Given the rollout of Kamino Lend V2, the protocol may scale aggressively over the coming months, penetrating previously untapped markets in Solana DeFi.

article-image

Why that the bull market might not start until 2025

article-image

August’s annual headline figure came in at 2.3% after an upward revision Thursday, so things are moving in the right direction 

article-image

MSTR’s stock price was roughly $248 at 2 pm ET Thursday

article-image

Ever since rates came off zero and fiscal deficits exploded, markets have started paying close attention to how the government is funding itself

article-image

Solana memecoins are collectively at an all-time high

article-image

Optimistic rollups like Optimism, Arbitrum and Base are seeing rapid adoption relative to zk rollups