Hackers steal more than $600M from Ronin blockchain used to play Axie Infinity

It's one of the largest crypto heists in history.
The Treasury Department sanctioned Blender, a virtual currency mixer which it says North Korean cybercriminals used to launder $20.5 million stolen as part of a $620 million heist which exploited users of the Pokemon-inspired blockchain game Axie Infinity. (image via Axie Infinity)

The cryptocurrency used to play the Pokémon-inspired blockchain game Axie Infinity was the target of a March 23 crypto heist of more than $600 million, one of the largest in history.

In February 2021, the Ronin blockchain debuted. Ronin offers 20 free transactions to each account holder.

In a newsletter posted to the Ronin Network Substack page, its leaders said the Ronin bridge that connects Axie Infinity’s Ronin sidechain to ethereum and Katana Dex, a decentralized exchange in the Axie Infinity ecosystem, have been halted while they work with law enforcement, forensic cryptographers, and investors to recover the stolen cryptocurrency.

The hacker compromised the Ronin and third-party Axie DAO validator nodes using hacked private keys to forge fake withdrawals, the newsletter said.


The Ronin chain includes nine validator nodes of which five signatures are needed to deposit or withdraw cryptocurrency. The attacker took control of Sky Mavis’ four Ronin validators and a third-party validator run by Axie DAO, the newsletter said. 

Last week’s hack can be traced back to November 2021 when Sky Mavis, the company behind Axie Infinity, asked Axie DAO for support distributing free transactions due to what the Ronin newsletter called “an immense user load.” The arrangement continued until December 2021, but the newsletter said that “allowlist access” was not revoked when it ended, allowing the hacker to enter Sky Mavis systems and obtain “the signature from the Axie DAO validator.”

The Ronin newsletter said it is actively guarding against future attacks and have increased their validator threshold to eight from five. They said they have paused the Ronin bridge temporarily to be sure no attack vectors remain open.

“Hacks on the crypto sector have been a problem for years, and incidents involving multi-million dollar losses seem to be happening every few months implying an industry-wide security problem,” Emsisoft threat analyst Brett Callow said via email. “The real question is how many more of these incidents can occur before either people lose confidence in the sector or regulators feel it necessary to step in to protect the public.”

Ronin only learned of the breach on Tuesday, after a report from a user unable to withdraw from the bridge. Users with funds on Ronin Network cannot withdraw or deposit funds as of now, but Sky Mavis is committed to ensuring that all of the drained funds are recovered or reimbursed, the newsletter said.


“We are working with Chainalysis to monitor the stolen funds,” the newsletter said.

Suzanne Smalley

Written by Suzanne Smalley

Suzanne joined CyberScoop from Inside Higher Ed, where she covered educational technology and from Yahoo News, where she worked as an investigative reporter. Prior to Yahoo News, Suzanne worked as a consultant to the economist Raj Chetty as he launched his Harvard-based research institute Opportunity Insights. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and covered two presidential campaigns for Newsweek. She holds a masters in journalism from Northwestern and a BA from Georgetown. A Miami native, Suzanne lives in upper Northwest Washington with her family.

Latest Podcasts