The Ronin Hacker Made Off With $625M of Crypto, but Cashing Out Isn’t So Easy

For the hacker who recently exploited the Ronin Network for roughly $625 million, cashing out the funds will likely be a challenge.

The Ethereum-linked sidechain used for blockchain game Axie Infinity was attacked last week, when the person or group responsible made off with 173,600 ether and 25.5 million USDC.

The exploiter used hacked private keys to forge withdrawals on March 23, according to a Tuesday statement. The breach was discovered nearly a week later when a user was unable to withdraw 5,000 ETH.

The hackers have tried to sell about 6,500 stolen ETH, transferring the tokens to three different exchanges, according to William Quigley, co-founder of stablecoin Tether and non-fungible token (NFT) blockchain platform WAX. All of the stolen USDC has been transferred out to various wallets and DeFi protocols, Etherscan data shows.

Most of the funds remain in the hacker’s wallet, according to the network. Aleksander Leonard Larson, co-founder and chief operating officer of Axie Infinity, tweeted Wednesday that Axie is committed to ensuring all of the drained funds are recovered or reimbursed.

“Been an intense 36 hours,” Larson tweeted. “Our internal network is currently going through a deep forensics review to ensure there is no lingering threat.”

Selling the remaining 176,000 or so ETH will be difficult, Quigley told Blockworks, adding that the address has been blacklisted to exchanges.

“Sky Mavis has also retained Chainalysis to ensure that any of the stolen ETH moved from this Ethereum address will be tracked,” he said. “It doesn’t seem like the hacker will have much luck cashing out.”

Kim Grauer, Chainalysis’ director of research, said the Poly Network hack in August and subsequent return of funds illustrated the rising difficulty of pulling off a large-scale cryptocurrency theft.

While criminally obtained fiat currency can be moved through “shady bank accounts” — and authorities rely on subpoenas and the cooperation of financial institutions to trace its path — Grauer said anyone can view transactions executed on public blockchains.

“With the inherent transparency of blockchains and the eyes of an entire industry on them, it’s difficult for any cryptocurrency hacker to escape with a large cache of stolen funds,” Grauer said. “In most cases, the best they could hope for would be to evade capture as the funds sit frozen in a blacklisted private wallet.”

How did it happen and what’s next?

Illicit crypto transactions reached $14 billion last year, according to a February Chainalysis report. Though that marks an all-time high, illicit activity in terms of total crypto transaction volume has never been lower, as the market capitalization of digital assets grew in 2021.

The latest hack was an outlier, Quigley said, in that it occurred in part because a single entity, Sky Mavis, controlled four of the Ronin’s chain’s nine validator nodes. The hacker gained control of a fifth node — good for a majority — run by Axie DAO.

Larson called the hack “a social engineering attack combined with a human error” in a Wednesday tweet, adding that Ronin plans to add additional validators to boost decentralization. 

The fact that several days passed before the public became aware is rare and “surprising,” Quigley said.

“Most people did not appear to know that Axie Infinity ran its own layer-2 blockchain on top of Ethereum,” he said. “People playing Axie Infinity or providing liquidity to Ronin’s decentralized exchange, Katana, might have been more circumspect about depositing hundreds of millions of dollars on the Ronin Bridge if they knew Axie Infinity managed the passwords to five of the nine Ronin validator nodes.”

Layer-2 chains are inherently more vulnerable because the attack vectors double when you operate atop another chain, Quigley said. Exploits can be operational — when the parties running a system don’t have robust security practices — or code-related.

“Large complex systems, like fully featured layer-2 based blockchain games with hooks into other third-party platforms, is a vastly more challenging system to audit,” he said, noting the operational nature of the Ronin hack.

As more value flows through cross-chain bridges, they’re becoming increasingly attractive targets for hackers, according to Grauer. Though the Ronin case involved hacked private keys, many DeFi (decentralized finance) hacks are attributed to code vulnerabilities. 

“While not foolproof, a valuable first step towards addressing issues like this could be for extremely rigorous code audits to become the gold standard, both for those building protocols and for the investors evaluating them,” Grauer said. “Over time, the strongest, safest smart contracts can serve as templates for developers to build from.”

---

Get the news in your inbox. Explore Blockworks newsletters:

• Blockworks Daily: The newsletter that helps thousands of investors understand crypto and the markets, by Byron Gilliam.
• Empire: Start your morning with the top news and analysis to inform your day in crypto.
• Forward Guidance: Reporting and analysis on the growing intersection of crypto and macroeconomics, policy and finance.
• 0xResearch: Alpha directly in your inbox. Market highlights, data, degen trade ideas, governance updates, token performance and more.
• Lightspeed: Built for Solana investors, developers and community members. The latest from one of crypto’s hottest networks.
• The Drop: For crypto collectors and traders, covering apps, games, memes and more.
• Supply Shock: Tracking Bitcoin’s rise from internet plaything worth less than a penny to global phenomenon disrupting money as we know it.