The Ronin Hacker Made Off With $625M of Crypto, but Cashing Out Isn’t So Easy

It’s difficult for any crypto hacker to escape with a large amount of stolen funds, industry watchers say


Blockworks Exclusive art by axel rangel


key takeaways

  • Blockchain transparency makes it hard to pull off large-scale cryptocurrency theft, according to blockchain data firm Chainalysis
  • Axie Infinity co-founder Aleksander Leonard Larson tweeted Wednesday that several new validators would be added to the Ronin network

For the hacker who recently exploited the Ronin Network for roughly $625 million, cashing out the funds will likely be a challenge.

The Ethereum-linked sidechain used for blockchain game Axie Infinity was attacked last week, when the person or group responsible made off with 173,600 ether and 25.5 million USDC.

The exploiter used hacked private keys to forge withdrawals on March 23, according to a Tuesday statement. The breach was discovered nearly a week later when a user was unable to withdraw 5,000 ETH.

The hackers have tried to sell about 6,500 stolen ETH, transferring the tokens to three different exchanges, according to William Quigley, co-founder of stablecoin Tether and non-fungible token (NFT) blockchain platform WAX. All of the stolen USDC has been transferred out to various wallets and DeFi protocols, Etherscan data shows.

Most of the funds remain in the hacker’s wallet, according to the network. Aleksander Leonard Larson, co-founder and chief operating officer of Axie Infinity, tweeted Wednesday that Axie is committed to ensuring all of the drained funds are recovered or reimbursed.

“Been an intense 36 hours,” Larson tweeted. “Our internal network is currently going through a deep forensics review to ensure there is no lingering threat.”

Selling the remaining 176,000 or so ETH will be difficult, Quigley told Blockworks, adding that the address has been blacklisted to exchanges.

“Sky Mavis has also retained Chainalysis to ensure that any of the stolen ETH moved from this Ethereum address will be tracked,” he said. “It doesn’t seem like the hacker will have much luck cashing out.”

Kim Grauer, Chainalysis’ director of research, said the Poly Network hack in August and subsequent return of funds illustrated the rising difficulty of pulling off a large-scale cryptocurrency theft.

While criminally obtained fiat currency can be moved through “shady bank accounts” — and authorities rely on subpoenas and the cooperation of financial institutions to trace its path — Grauer said anyone can view transactions executed on public blockchains.

“With the inherent transparency of blockchains and the eyes of an entire industry on them, it’s difficult for any cryptocurrency hacker to escape with a large cache of stolen funds,” Grauer said. “In most cases, the best they could hope for would be to evade capture as the funds sit frozen in a blacklisted private wallet.”

How did it happen and what’s next?

Illicit crypto transactions reached $14 billion last year, according to a February Chainalysis report. Though that marks an all-time high, illicit activity in terms of total crypto transaction volume has never been lower, as the market capitalization of digital assets grew in 2021.

The latest hack was an outlier, Quigley said, in that it occurred in part because a single entity, Sky Mavis, controlled four of the Ronin’s chain’s nine validator nodes. The hacker gained control of a fifth node — good for a majority — run by Axie DAO.

Larson called the hack “a social engineering attack combined with a human error” in a Wednesday tweet, adding that Ronin plans to add additional validators to boost decentralization. 

The fact that several days passed before the public became aware is rare and “surprising,” Quigley said.

“Most people did not appear to know that Axie Infinity ran its own layer-2 blockchain on top of Ethereum,” he said. “People playing Axie Infinity or providing liquidity to Ronin’s decentralized exchange, Katana, might have been more circumspect about depositing hundreds of millions of dollars on the Ronin Bridge if they knew Axie Infinity managed the passwords to five of the nine Ronin validator nodes.”

Layer-2 chains are inherently more vulnerable because the attack vectors double when you operate atop another chain, Quigley said. Exploits can be operational — when the parties running a system don’t have robust security practices — or code-related.

“Large complex systems, like fully featured layer-2 based blockchain games with hooks into other third-party platforms, is a vastly more challenging system to audit,” he said, noting the operational nature of the Ronin hack.

As more value flows through cross-chain bridges, they’re becoming increasingly attractive targets for hackers, according to Grauer. Though the Ronin case involved hacked private keys, many DeFi (decentralized finance) hacks are attributed to code vulnerabilities. 

“While not foolproof, a valuable first step towards addressing issues like this could be for extremely rigorous code audits to become the gold standard, both for those building protocols and for the investors evaluating them,” Grauer said. “Over time, the strongest, safest smart contracts can serve as templates for developers to build from.”

Don’t miss the next big story – join our free daily newsletter.


Upcoming Events

Hilton Metropole | 225 Edgware Rd, London

Mon - Wed, March 18 - 20, 2024

Crypto’s premier institutional conference returns to London in March 2024. The DAS: London Experience: Attend expert-led panel discussions and fireside chats Hear the latest developments regarding the crypto and digital asset regulatory environment directly from policymakers and experts.

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Top Icon.png


Osmosis thrived in H2 2023 on the back of increased DeFi activity deriving from recently launched Cosmos-related projects and better market conditions. With new value accrual mechanisms for the native token, Osmosis is well-positioned to continue its strong performance in 2024.



Though the opposing flow trend is likely to slow over time, industry watchers note, bitcoin fund assets could one day eclipse the $90 billion gold ETF space


Celestia had the first mover advantage. EigenDA has staked ether. What sets Avail apart?


Bitcoin moved 1% higher Monday morning in New York, Matrixport analysts say $62,000 could happen next month


It’s hard to believe right now that crypto — even with all of its flexibility and massive capabilities — could ever be like cash on the internet


Michael Saylor announced Monday morning that MicroStrategy bought 3k more bitcoin after the X account was compromised over the weekend


Plus, Pudgy Penguins grows its brand and a group of Autoglyphs sell for $14.5 million