What a $600 million hack reveals about the status of crypto, as per Ronin Network

Thousands, if not millions, of people, could have lost funds as a result of the world’s second-largest crypto breach.

Ronin Network, which powers the famous mobile game Axie Infinity, has had $615 million (£467 million) stolen.

Dan Rean, a 20-year-old from Wiltshire, is among those affected. He said to the BBC: “I have lost 0.15 Ethereum, about $500. It’s bad but I have friends in a worse position.”

“I’m down about $10,000,” said Jack Kenny, one of their friends.

“I don’t think people fully understand the significance of this hack — $600m is a very big portion of all the assets in this network.” the 23-year-old from Ireland stated.

Another person from the east coast of the United States claims to have lost $8,000 but adds that others may have lost their “life savings” after saving virtual coins from Axie Infinity.

Players earn crypto by fighting cartoon pets known as Axies in the game.

Millions of players around the world play the game in an attempt to win cryptocurrencies and collect the game’s non-fungible tokens (NFTs).

It is notably popular in the Philippines, where playing has turned into a full-time, potentially lucrative career.

The true victims of large-scale crypto-hacking

Hackers steal $150 million from a cryptocurrency exchange.

The Vietnamese parent company Sky Mavis also owns the Ronin Network, which enables players to convert the digital coins they earn in Axie Infinity for other cryptocurrencies like Ethereum.

As per the report, a hacker transferred $540 million in cryptocurrencies to themself six days ago, but the company did not detect it until Tuesday when a customer could not withdraw their funds.

The value of the stolen stash has subsequently increased, with the price of cryptocurrencies now at nearly $615 million.

It is the latest in a succession of large-scale cryptocurrency thefts that have now reached over $2 billion in the last year.

The series of events leading up to the hack indicates a great amount about the threats of crypto and decentralized finance.

Will users be refunded their money?

According to Ronin Network, it is “working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed”

It released a sole statement on its substack — a mailing service — and took its website offline initially.

It has also turned off comments on its social media posts.

Afterwards, in response to a BBC request for comment, the company stated that it was “committed” to refunding customers but would not provide a guarantee.

“I’ve not tried customer support because I know it’ll be useless,” Dan says.

“I just have to wait to hear from them if and when it’ll be fixed, and I can hopefully get my Ethereum out. Crypto companies don’t really work in the same way as regular companies,” Dan outlines the situation kindly.

Customers have yet to know what is happening with their money or when they will receive their money back from the Ronin Network.

Customers are usually refunded in some method in the event of a large-scale crypto breach, but it can take months or years.

Direct communication with crypto companies is generally poor, according to crypto writer David Canellis from Protos.

“When you’re dealing with entities that are handling more than half a billion dollars you’d expect a little bit more avenues and openness to communication — especially when there has been such a lapse in security around this hack.”

“But then again, one primary tenet of the ecosystem is that anyone at all can launch their own projects, and there should be no barriers to this.”

How did it happen?

According to Ronin Network, the hack began in November 2021, when Axie Infinity’s user base reached an untenable level.

The surge of players created an “immense user load” causing the company to reduce security measures to deal with the higher demand, according to the company.

It states that things slowed down in December, but that it forgot to tighten its protection, and that the hackers exploited the backdoor that had been left open.

Frances Coppola, an economist and author, says: “This is pretty typical of crypto companies.

“We’ve seen so many hacks and exploits caused by — to be blunt — frank carelessness and lack of concern for the safety of people’s funds.”

“Crypto companies are sometimes so anxious to make ‘loadsamoney’, or simply accommodate high demand, that they put out badly designed and tested code, compromise security, or place too much reliance on infrastructure.”

The top five cryptocurrency hacks of all time

Elliptic, a cryptocurrency research company, computed the following figures based on the dollar value at the time of the hack:

• $325m — Wormhole, February 2022
• $470m — Mt Gox, February 2014.
• $532m — Coincheck, January 2018
• $540m — Ronin Bridge, March 2022.
• $611m — Poly Network, August 2021

Why does this happen again and again?

According to experts, hackers are increasingly seeing cryptocurrencies as low-hanging fruit.

Cryptocurrency companies are “huge honeypots for hackers”, says Tom Robinson, of Elliptic.

“Crypto transactions are irreversible, so if a hacker can get their hands on it, it’s very difficult for anyone to retrieve it,” he says.

Mr Robinson added that it is particularly intriguing since it allows for massive paydays without the additional inconvenience of cybercrime such as ransomware, which requires criminals to negotiate with stolen organizations.

It is unknown who is involved in the current attack, although it is unlikely to be cybercriminals looking to make money. State-sponsored hackers, for example, have been recognised as the perpetrators of some crypto heists.

North Korean hackers stole about $400 million (£291 million) in digital assets in at least 7 attacks on crypto platforms last year, as per cryptocurrency researchers at Chainalysis.