The Ronin Hacker Made Off With $625M of Crypto, but Cashing Out Isn’t So Easy

It’s difficult for any crypto hacker to escape with a large amount of stolen funds, industry watchers say

article-image

Blockworks Exclusive art by axel rangel

share

key takeaways

  • Blockchain transparency makes it hard to pull off large-scale cryptocurrency theft, according to blockchain data firm Chainalysis
  • Axie Infinity co-founder Aleksander Leonard Larson tweeted Wednesday that several new validators would be added to the Ronin network

For the hacker who recently exploited the Ronin Network for roughly $625 million, cashing out the funds will likely be a challenge.

The Ethereum-linked sidechain used for blockchain game Axie Infinity was attacked last week, when the person or group responsible made off with 173,600 ether and 25.5 million USDC.

The exploiter used hacked private keys to forge withdrawals on March 23, according to a Tuesday statement. The breach was discovered nearly a week later when a user was unable to withdraw 5,000 ETH.

The hackers have tried to sell about 6,500 stolen ETH, transferring the tokens to three different exchanges, according to William Quigley, co-founder of stablecoin Tether and non-fungible token (NFT) blockchain platform WAX. All of the stolen USDC has been transferred out to various wallets and DeFi protocols, Etherscan data shows.

Most of the funds remain in the hacker’s wallet, according to the network. Aleksander Leonard Larson, co-founder and chief operating officer of Axie Infinity, tweeted Wednesday that Axie is committed to ensuring all of the drained funds are recovered or reimbursed.

“Been an intense 36 hours,” Larson tweeted. “Our internal network is currently going through a deep forensics review to ensure there is no lingering threat.”

Selling the remaining 176,000 or so ETH will be difficult, Quigley told Blockworks, adding that the address has been blacklisted to exchanges.

“Sky Mavis has also retained Chainalysis to ensure that any of the stolen ETH moved from this Ethereum address will be tracked,” he said. “It doesn’t seem like the hacker will have much luck cashing out.”

Kim Grauer, Chainalysis’ director of research, said the Poly Network hack in August and subsequent return of funds illustrated the rising difficulty of pulling off a large-scale cryptocurrency theft.

While criminally obtained fiat currency can be moved through “shady bank accounts” — and authorities rely on subpoenas and the cooperation of financial institutions to trace its path — Grauer said anyone can view transactions executed on public blockchains.

“With the inherent transparency of blockchains and the eyes of an entire industry on them, it’s difficult for any cryptocurrency hacker to escape with a large cache of stolen funds,” Grauer said. “In most cases, the best they could hope for would be to evade capture as the funds sit frozen in a blacklisted private wallet.”

How did it happen and what’s next?

Illicit crypto transactions reached $14 billion last year, according to a February Chainalysis report. Though that marks an all-time high, illicit activity in terms of total crypto transaction volume has never been lower, as the market capitalization of digital assets grew in 2021.

The latest hack was an outlier, Quigley said, in that it occurred in part because a single entity, Sky Mavis, controlled four of the Ronin’s chain’s nine validator nodes. The hacker gained control of a fifth node — good for a majority — run by Axie DAO.

Larson called the hack “a social engineering attack combined with a human error” in a Wednesday tweet, adding that Ronin plans to add additional validators to boost decentralization. 

The fact that several days passed before the public became aware is rare and “surprising,” Quigley said.

“Most people did not appear to know that Axie Infinity ran its own layer-2 blockchain on top of Ethereum,” he said. “People playing Axie Infinity or providing liquidity to Ronin’s decentralized exchange, Katana, might have been more circumspect about depositing hundreds of millions of dollars on the Ronin Bridge if they knew Axie Infinity managed the passwords to five of the nine Ronin validator nodes.”

Layer-2 chains are inherently more vulnerable because the attack vectors double when you operate atop another chain, Quigley said. Exploits can be operational — when the parties running a system don’t have robust security practices — or code-related.

“Large complex systems, like fully featured layer-2 based blockchain games with hooks into other third-party platforms, is a vastly more challenging system to audit,” he said, noting the operational nature of the Ronin hack.

As more value flows through cross-chain bridges, they’re becoming increasingly attractive targets for hackers, according to Grauer. Though the Ronin case involved hacked private keys, many DeFi (decentralized finance) hacks are attributed to code vulnerabilities. 

“While not foolproof, a valuable first step towards addressing issues like this could be for extremely rigorous code audits to become the gold standard, both for those building protocols and for the investors evaluating them,” Grauer said. “Over time, the strongest, safest smart contracts can serve as templates for developers to build from.”


Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

recent research

Research Report Templates.png

Research

An overview of the Base Ecosystem, with a focus on market leaders.

article-image

Although bitcoin hitting $120k by year’s end is looking unlikely

article-image

About 270 million HYPE has been claimed, valued around $7.6 billion

article-image

Stanford professors David Mazières and Dan Boneh will lead the lab alongside a cohort of graduate student researchers

article-image

With more companies holding BTC, bitcoin yielding strategies could become “a new corporate finance norm,” CoinShares posed

article-image

The proposal comes after Polygon governance considered a controversial use of bridged liquidity for yield

article-image

Can the community balance its decentralized ethos with the need for inclusivity and constructive debate?