Blockchain & Cryptocurrency , Cryptocurrency Fraud , Cybercrime

Update: Crypto Hackers Exploit Ronin Network for $615 Million

Popular Game Axie Infinity's Blockchain Security Breached Via Hacked Private Keys
Update: Crypto Hackers Exploit Ronin Network for $615 Million
Katana Dax, Ronin Network's decentralized exchange, was taken offline. (Source:

Update - April 18, 2022: The FBI has attributed the Ronin Network hack attack to North Korean hackers, and the U.S. Treasury Department has sanctioned a cryptocurrency wallet used by attackers to receive stolen funds (see: Feds Offer $5 Million to Help Disrupt North Korean Hackers).

See Also: Splunk Named a 10-Time Leader in Gartner® Magic Quadrant™ for SIEM

Ronin Network, a sidechain tied to blockchain game Axie Infinity, announced it had been breached by hackers that hijacked 173,600 ethereum and $25.5 million - totaling nearly $615 million in stolen funds.

Attackers breached Ronin Network security by gaining access to private keys used to forge fake withdrawals. Ronin Network announced the breach on Tuesday, five days after a user reported an inability to withdraw 5,000 in Ethereum from its bridge, or the port that allows inter-blockchain asset transfers. The investigation is currently ongoing, however, developments in the case are rapidly unfolding.

"We are working with law enforcement officials, forensic cryptographers and our investors to make sure all funds are recovered or reimbursed," the firm says, adding that the Ronin bridge and Katana Dex - Ronin's decentralized exchange - were taken offline until further notice as the investigation continues.

Ronin Network powers the gaming marketplace for Axie Infinity, an NFT-driven game, which is operated by Vietnam-based Sky Mavis. Gamers can create a Ronin wallet through Sky Mavis' website to make intergame purchases, such as virtual pets, in Axie Infinity's virtual marketplace.

In the latest developments, Ronin Network posted on Twitter that the attacker's wallet had been linked to Binance, a popular cryptocurrency market. It appears several firms are cooperating with Ronin Network to catch the attacker.

Binance, in a statement to Information Security Media Group, confirmed its involvement in the probe. "The Binance investigations team is supporting the Axie Infinity team with tracking some of the transactions related to its network bridge. We are also working with certain law enforcement agents on potential leads," it says.

Cryptocurrency investigation and compliance solutions provider Chainalysis also confirmed that it was engaged in the probe, but could not offer further details immediately.

Similar to this incident, the cryptocurrency platform Poly Network was breached last August. A hacker, known as "Mr. White Hat," reportedly returned the majority of the stolen funds. At that time, the Poly Network hack was considered the largest cryptocurrency heist at the time, amounting to around $612 million in stolen assets; this breach is larger by a slim margin (see: Poly Network Hacker Reportedly Returns Most of Stolen Funds).

Attack Details

Ronin Network described how the crime was carried out in a detailed blog post, followed by the steps it was taking during investigation and actions to improve security.

According to Ronin Network, an attacker took control of the validator nodes on the Sky Mavis and Axie DAO-operated Ronin blockchain. The validators moderate activity on the chain as a security measure, but the attacker then was able to find an entry point through a backdoor.

"In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO," the company said.

To prevent attacks in the future, Ronin Networks has taken several actions, including moving its validator threshold, migrating nodes to a new infrastructure and working with several security suppliers to remediate any damage.

"As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats," Ronin Networks said, adding that it is working to make sure user assets are not stolen.

The victim company, blockchain security firm CertiK tells ISMG, did follow good cybersecurity practices - to an extent.

"SkyMavis applied a multiple signature scheme - which requires multiple keys to authorize a transaction, rather than a single signature from one key- to avoid single point of failure, which is a great step in security. But during a November 2021 event held for Axie DAO's growth, a validator was given access to distribute free transactions - and this access was not revoked. It has now resulted in the attacker gaining access. It is very important to remember to revoke the allow list or white list access when no longer needed," a spokesperson for the company says.

Crypto Hack Dilemma: Withdraw Stolen Funds Where?

Attacks against cryptocurrency firms such as Ronin Network has been steadily increasing. Cybercrime gangs and nation-state hackers have discovered how lucrative it can be to victimize employees by means of social engineering and other tactics, but cashing out is where the problem lies.

Ari Redbord, an Information Security Media Group contributor and former undersecretary for terrorism and financial intelligence for the U.S. Treasury, says that cybercriminals are gravitating to cryptocurrency businesses because they can "commit bank robbery at the speed of the internet in crypto."

On the other hand, Redbord says, law enforcement agencies can use qualities of digital assets - such as the transparent immutable transactions - to successfully trace and track where the funds have gone. This poses a problem for cybercriminals seeking to withdraw large amounts of stolen digital assets in a legal market.

"This attacker will have a difficult time finding an off-ramp with the world watching," says Redbord, who is currently the head of government affairs for blockchain intelligence firm TRM Labs.

Adding on Redbord's statement on the challenges of converting the stolen funds to fiat currency, William Callahan, director of government and strategic affairs at Blockchain Intelligence Group, says that blockchain analytical tools can also track and trace transactions in real time and work with cryptocurrency exchanges to freeze funds before hackers can convert it into fiat currency.

At the moment, Blockchain Intelligence Group's data analytics shows a series of transactions associated with the Ronin Network.

There have been a series of transactions in which "25.5 million USDC tokens were sent from the original exploiter's address to two other addresses. These addresses were used to convert the 25.5 million USDC to 8,562.86 ETH using [decentralized exchanges] 1inch and Uniswap. The converted funds then were returned to the original exploiter's address," Callahan, also retired U.S. Department of Justice law enforcement officer, says.

"We are likely to see a continued barrage of attacks on crypto businesses as a nascent and growing industry builds and hardens cyber defenses. It is critical that crypto businesses of all sizes build defenses against attacks and also have the best tools in place to track and trace stolen funds."

Story updated to include comments from Binance, CertiK, Chainalysis and William Callahan of Blockchain Intelligence Group.

Senior subeditor Rashmi Ramesh contributed to this story.

About the Author

Devon Warren-Kachelein

Devon Warren-Kachelein

Former Staff Writer, ISMG

Warren-Kachelein began her information security journey as a multimedia journalist for SecureWorld, a Portland, Oregon-based cybersecurity events and media group. There she covered topics ranging from government policy to nation-states, as well as topics related to diversity and security awareness. She began her career reporting news for a Southern California-based paper called The Log and also contributed to tech media company Digital Trends.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.