- Joe Tidy
- Cyber Correspondent
Thousands, if not millions, may have lost their money in the second largest cryptocurrency hack in history.
$615 million was stolen from Ronin Network, the main platform that powers the popular mobile game Axis Infinity.
One of those affected is Dan Ren, a 20-year-old from Wiltshire. He told the BBC: “I lost 0.15 Ethereum, which is about $500. It’s bad but I have friends who are worse off.”
“I lost about $10,000,” said Jack Kenny, one of those friends.
The 23-year-old from Ireland added: “I don’t think people fully understand the significance of this hack, the $600 million is a big part of all the assets in this network.”
Another man from the East Coast of the United States says he lost $8,000 but adds that there are people who may have lost their “savings” after saving cryptocurrency from playing Axi Infinity.
In the game, players fight animated pets called “Axis” in order to earn cryptocurrency.
The game is very popular with millions of players around the world hoping to win cryptocurrency and collect NFT tokens.
The game is very popular especially in the Philippines, where playing the game has become a profitable and full-time business.
The Ronin Network, which is also owned by the Vietnamese parent company Sky Mavis, allows players to exchange the cryptocurrencies they earn in Axis Infinity for other cryptocurrencies such as Ethereum.
The hackers are said to have transferred $540 million worth of cryptocurrency to themselves six days ago, but the company only noticed this on Tuesday when a customer was unable to withdraw his funds.
The value of the stolen coins increased as the value of cryptocurrencies rose to about $615 million.
This operation is only the latest in a series of mass cryptocurrency thefts over the past year, totaling more than $2 billion.
The sequence of events related to the hacking operation tells us a lot about the dangers of cryptocurrencies and decentralized finance.
Will customers get their money back?
The Ronen Network says it “works with law enforcement officials, forensic coders and our investors to ensure that all funds are recovered or compensated.”
First, the network posted a statement on its newsletter service and then took its website offline.
She has also turned off comments on her company’s social media posts.
The company later responded to BBC requests for comment, saying it was “committed” to compensating customers but would not provide guarantees.
“I didn’t try to contact customer service because I knew that would be pointless,” Dan says.
Dan explains sympathetically, “I can only wait to hear from them if and when the bug will be fixed, and I hope to be able to get my money back in Ethereum. Cryptocurrency companies don’t really operate in the same way as regular companies.”
The Ronin Network has not yet told clients what happened to their money or when they will get it back.
In most cases of mass cryptocurrency hacking, customers are compensated in some way, but the process can take several months or years.
Cryptocurrency writer David Kanellis of Brutus says direct communication with cryptocurrency companies is very weak.
“When you’re dealing with entities that deal with more than half a billion dollars, you’d expect there’s more than one method, and an openness of communication, especially when there’s such a lapse in security around the hacking process,” David said.
“But again, one of the core principles of the ecosystem is that absolutely anyone can launch their own business, and there should be no barriers to that.”
how did that happen?
Ronin says the hacking operation began in November 2021, when the user base of Axis Infinity swelled to an unsustainable size. The company said the influx of players caused a “huge load of users”, forcing the company to relax its security measures to accommodate the growing demand.
She says that things calmed down in December, but she forgot to re-tighten her security measures, so hackers took advantage of that loophole that remained open.
“This is quite typical of cryptocurrency companies,” says economist and author Francis Coppola.
“We’ve seen a lot of piracy and exploitation caused, let’s be frank, out of sheer negligence and a lack of concern for the safety of people’s money,” he says.
“Cryptocurrency companies are sometimes so eager to make a lot of money, or simply absorb high demand, that they put badly designed and tested code, undermine security, or place a heavy reliance on infrastructure,” he concludes.
Five biggest cryptocurrency hacks
The following numbers are from cryptocurrency analytics firm Elliptic, based on the dollar value at the time of the hack:
$325 million – Wormhall, February 2022
$470 million – MT Jukes, February 2014
$532 million – Koenchik, January 2018
$540 million – Ronin Bridge, March 2022
$611 million – PolyNetwork, August 2021
Why does this happen constantly?
Experts say cryptocurrency is increasingly seen by hackers as an easy-to-access fruit.
Tom Robinson of Elliptic says cryptocurrency partners are “big honey jars for hackers”.
“Cryptocurrency transactions are not reversible, so if a hacker gets his hands on it, it’s very difficult for anyone to get them back,” he says.
Robinson also says it’s attractive because it’s possible to get big money without the added hassle of virtual crimes like ransomware, where criminals have to negotiate with hacked companies.
It is still unknown who was behind the latest hack, but it is not necessary that the hypothetical criminals carried out the operation to make money for themselves.
According to cryptocurrency researchers at Chainalysis, North Korean hackers stole nearly $400 million worth of digital assets in at least seven attacks on cryptocurrency platforms last year.