Blockchain Intelligence Group Investigates The Mystery of the Biggest Cryptocurrency Hack

Blockchain Intelligence Group Solves The Mystery of the Biggest Cryptocurrency Hack
The Ronin bridge is back online 3 months after it was subject to the biggest cryptocurrency hack. This article is a preview of Blockchain Intelligence Group’s deep dive into the hack details and stolen fund movement. Check out the full report: Ronin Hack, The Aftermath.

On March 23, 2022, hackers stole 173,600 Ethereum and 25.5M USDC in total from the Ronin network over 2 transactions. It was only when one of the customers failed to withdraw 5,000 ETH that the theft was discovered and the platform was put offline by the owners. The FBI confirmed North Korean Lazarus Group and APT38 were behind the exploit.

Sky Mavis is the Vietnamese company behind the blockchain play-to-earn (P2E) gaming metaverse Axie Infinity. In 2018, the company was founded by Jeffrey Zirlin and a team with previous experience in blockchain gaming investment. Sky Mavis launched Axie Infinity in October 2018, only to grow and turn into a multi-billion-dollar business. In 2021, Sky Mavis developed the Ronin sidechain to improve on the transactional performance and cost of passing funds between the Ronin network and Ethereum.

The Ronin network provides multiple services to Axie Infinity. The services include Katana, an in-house decentralized exchange, wallet services and Non-Fungible Tokens (NFTs). Most importantly, the Ronin wallet extension allows users to play Axie Infinity and other decentralized applications running on Ronin. 

According to Consensys, Axie Infinity was arguably the biggest crypto application in the Decentralized Finance (DeFi) and NFT space in July 2021. The firm was doubling its revenue every month. According to Covalent, in just 3 years, Axie infinity had 8.3 million player base and still had room for growth. Coinmarketcap.com reveals that in November 2021, Axie infinity traded for $160 USD before hitting rock bottom in recent months.

The Attack

The Ronin team explained “Sky Mavis’ Ronin chain currently consists of nine validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO.”

The Ronin team highlighted a vulnerability in the validation protocol which the hackers exploited. Due to the rapid upswing of Axie Infinity coin price in November, the customers put a lot of load on the servers in order to make transactions. Sky Mavis requested help from the Axie DAO to distribute gas-free transactions to solve the user load problem. 

“The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.” said the Ronin team.

Upon breaching Sky Mavis’ systems, the hackers used the same workaround to get access to 1 extra validation node and approve the hack transaction worth over $629.3 million at the time. 

Blockchain Intelligence Group’s Investigations

Over the course of 42 days, the hackers gradually managed the stolen funds in the hacker’s wallet which is currently resting at 1 ETH from an all-time high of 182,163 ETH on March 23rd. 

Timeline: Stolen funds flow out of the hack’s wallet

In crypto crime, typical perpetrator behavior uses anonymizing services to obfuscate stolen funds in an attempt to mislead the world. In this case, there was extensive use of the popular Ethereum mixer Tornado Cash to set back the investigations.

Our Intelligence team, featuring QLUE, identified a correlation in the number of funds going into TornadoCash and out to new addresses that then sent the funds across to the Bitcoin blockchain using the RenBTC gateway within the same time period. Check out the full report: Ronin Hack, The Aftermath.

Book a demo to learn more about our tools that enabled the investigation.

 
 

Written By: Omar Marzouk
Writer, Content marketing at Blockchain Group


  • Solutions
  • Training
  • Resources
  • Support