The makers of one of the most popular blockchain-based online games said Tuesday that hackers were able to steal assets worth about $625 million from the gaming company and its players.
The theft immediately became one of the largest in the history of the burgeoning world of cryptocurrencies and decentralized online gaming, both of which have skyrocketed in popularity in recent years.
The hackers targeted Ronin, a blockchain service run by the owners of Axie Infinity, which is an online game that attracts around 2 million daily users and sees tens of millions of dollars in daily sales volume. Ronin said Tuesday in a blog post that hackers were able to essentially take control of the network and send 173,600 ethers, worth about $600 million, to an anonymous ethereum wallet. The hackers were also able to withdraw about $25.5 million of USD coin, which is a digital currency pegged to the value of the U.S. dollar.
Ethereum, like bitcoin, is a cryptocurrency based on blockchain technology, in which many computers contribute to a shared database that is not controlled by any single entity. Hacks of cryptocurrencies such as bitcoin and ethereum have jumped in recent years as they’ve grown in value. They are different from traditional, government-backed currencies such as the U.S. dollar in that they’re purely digital and all transactions are recorded on a decentralized computer ledger known as a blockchain.
Axie Infinity is an online game started in 2018 in which people collect and create mythical creatures and then battle them against other users. It uses non-fungible tokens to track ownership and reward users for playing. It is run by Sky Mavis, a Vietnam-based game developer that has attracted high-profile investment from the venture capital firm Andreessen Horowitz and Dallas Mavericks owner Mark Cuban.
It can cost around $100 to start playing the game, according to websites that follow Axie Infinity, while some people have said it’s not uncommon for people to spend $1,000 to start a team of creatures.
Sky Mavis did not immediately respond to a request for comment.
Jeffrey Zirlin, co-founder of Sky Mavis, said on Twitter: "This is when we show what we’re made of. Chaos is a ladder."
The Ronin hack is the latest in a string of high-profile crypto thefts, a relatively new and complicated category of crime that threatens one of the hottest parts of the internet economy. Owners of digital currency and law enforcement are still grappling with the scale of the threat, and last month, the FBI launched a new crypto crime unit.
While the major blockchains such as the one behind bitcoin have remained secure, tech companies are building services on top or alongside them that don’t always have the same level of security or decentralization.
It’s not clear who was behind the hack or if they will be able to liquidate any of the stolen assets, since ethereum can easily be tracked as it is sent between digital wallets. In some recent thefts, hackers have agreed to return assets in return for a percentage of the value of the assets.
Tom Robinson, chief scientist and co-founder at Elliptic, a cryptocurrency compliance firm based in London, said they have been tracking the funds from the theft as they move through transparent blockchain systems. The funds have ended up in at least two large exchanges so far, he said.
“It was a huge honeypot for hackers,” Robinson said of the Ronin network.
Changpeng Zhao, CEO of Binance, one of the largest cryptocurrency exchanges, said on Twitter that his company is working with Axie Infinity to track the stolen funds.
The theft rivals a heist of about $600 million in cryptocurrency that another blockchain company, Poly Network, disclosed in August. A person claiming to be the hacker behind that attack said they did it “for fun,” and nearly half the funds were returned within about a day.
Based on the value of the funds at the time of theft, the Poly hack qualifies as the largest crypto heist ever, with the Ronin hack second at $540 million, according to Elliptic. The value of some cryptocurrencies has risen since March 23, when the Ronin network said the hack began.
The hack has affected users of the online game, who are now unable to withdraw or deposit funds to the Ronin service. The company said it was committed to making users whole and that it was working with law enforcement and forensic cryptographers.
“Sky Mavis is committed to ensuring that all of the drained funds are recovered or reimbursed,” the company said on Substack.
Axie Infinity has become one of the top NFT-based online games, with its digital tokens worth around $4 billion as of Tuesday afternoon, according to CoinMarketCap.com, which tracks the value of cryptocurrencies and other digital assets.
Axie Infinity’s token is based on the ethereum blockchain, which has become the go-to blockchain for many developers to build everything from games and virtual worlds to NFTs.
Robinson said the Ronin Network was much more vulnerable to hackers than the original cryptocurrency, bitcoin. That’s because the network had only nine “validators,” the digital equivalent of a link in a chain, whereas bitcoin has thousands.
And, he said, one person had possession of four of the validators, so it wasn’t so difficult for hackers to get control of a majority of the nine.
“There were only two entities that they had to compromise to get control,” Robinson said.
“The whole ethos behind crypto is to be highly decentralized,” he added. “A few of these DeFi [decentralized finance] services are compromising on that for ease of use and becoming more centralized. Those are the ones that are being attacked.”