Cyber attackers' NFT blockchain heist nets hundreds of millions in stolen cryptocurrency

A collection of various coins with cryptocurrency logos embedded onto them
(Image credit: Shutterstock)

The Ronin blockchain has been hacked, its owner Sky Mavis has confirmed, and around $600 million worth of cryptocurrency has been stolen as a result.

Ronin is the blockchain that powers NFT game Axie Infinity and on Monday it became aware of a cyber attack that took place on 23 March. Hackers obtained private keys to the blockchain and used them to initiate fake withdrawals.

Sky Mavis said it became aware of the hack only when one of its users attempted to withdraw 5,000 Ethereum tokens but was unable to.

The hackers are said to have stolen 173,600 Ethereum tokens and 25.5 million USD Coins (USDC). Sky Mavis said it is working with law enforcement, forensic cryptographers, and its investors to ensure all the funds are recovered or reimbursed.

“We are working directly with various government agencies to ensure the criminals get brought to justice,” Sky Mavis said in a blog post detailing the incident.

“We are in the process of discussing with Axie Infinity / Sky Mavis stakeholders about how to best move forward and ensure no users' funds are lost. Sky Mavis is here for the long term and will continue to build.”

The hack stemmed from the proof-of-stake blockchain’s validator nodes, the majority of which were under the hackers’ control through stolen private keys, Sky Mavis said.

Validator nodes replace the energy-demanding computation required in proof-of-work blockchains like Bitcoin’s. These nodes review transactions to confirm everything in that block is accurate before approving them.

Ronin’s blockchain has nine validator nodes. The fewer nodes on a blockchain, the quicker transactions are signed, but comes at a cost of security as evidenced in the Ronin hack.

At least five validator signatures of the nine are needed to approve a transaction. The hacker obtained four of Sky Mavis’ Ronin validators and also abused a third-party validator run by Axie DAO.

Sky Mavis was allowlisted on Axie DAO’s validator back in November when the two companies collaborated on a case. Most of the access was revoked the following month but the hackers exploited the remaining access to sign the fifth validator, approving the heist’s transaction.

In response, Sky Mavis said it’s taking active steps to safeguard against future attacks, is currently migrating its notes, and has temporarily paused the Ronin Bridge and Katana DEX. Sky Mavis is also raising the required number of validator signatures from five to eight.


Multi-factor authentication deployment guide

A complete guide to selecting and deploying your MFA authentication guide


“Through this unfortunate event, we hope to remind users and projects of the importance of proper private key management,” said Ronghui Gu, CEO and co-founder at crypto security auditor CertiK, to IT Pro. “Sky Mavis applied a multisig to avoid the single point of failure, which is a great step in security.

“However, during an event for Axie DAO growth, access was given to the Axie DAO validator access to distribute free transactions back in November 2021. This access was not revoked later and gave the attacker access. It is very important to remember to revoke the allow list or white list access after an event or function is completed.”

The hack on the Ronin blockchain has already been described as one of the biggest hacks related to cryptocurrency to date, following a series of similar attacks sparking a global trend in 2021.

“This latest attack aimed at stealing cryptocurrency assets is, unfortunately, the latest in a long-standing and growing trend,” said Steve Forbes, government cyber security expert at Nominet to IT Pro.

“The last few months of 2021 saw cyber criminals steal nearly $200 million worth of cryptocurrency from BitMart, which was quickly followed by an attack on 400 users. The attack being reported today against the gaming-focused Ronin Network is already speculated as being the largest crypto hack to date, with an estimated $625 million stolen in a combination of Ethereum and US dollars.”

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.