Hackers stole more than $500 million from the networks of cryptocurrency network Ronin late last month. It is estimated to be the second-largest cryptocurrency theft ever. For a hacker, Ronin was a tempting target. The Axie Infinity video game, which has an estimated 8 million players and has attracted analogies to action-driven amassing games like Pokémon Go, is supported by the blockchain initiative.
Pattern in attacks
Axie Infinity is a big topic with a lot of money at stake. NFTs, or non-fungible tokens, are used by players to acquire Axis, which are unique digital assets. The monsters can reproduce, fight, and even be traded for real money.
As users recognize the opportunity to make real money, the game has grown popular. One 22-year-old player from the Philippines is said to have used his money from the game to purchase two residences in Manila in 2020. Another player stated last year that he made more money from Axie Infinity and other online games than he did from his full-time work at Goldman Sachs.
However, the game’s foundations confront serious security issues. To play, players must use a blockchain “bridge” mechanism to transfer funds from Ethereum to Ronin. Ronin is an Ethereum “sidechain” – a scaling solution that lets transactions happen quicker than on Ethereum, which is clogged with activity. Because the game is hosted on this sidechain, it may expand without losing functionality. Because bridges may contain a lot of money at once, hackers grabbed control of the assets and fled with the money by hacking the Ronin Bridge, which transported participants’ funds across blockchains.
THIS WEEK, the US administration announced that it believes North Korean hackers carried out the crime. However, this is only the latest in many high-profile crypto thefts. The crypto exchange Coincheck was robbed of more than $530 million in 2018. In February, hackers stole $320 million from the decentralized banking site Wormhole (but the money was subsequently restored). In the same month, authorities charged strange couple Ilya “Dutch” Lichtenstein and his wife, Heather Morgan – widely known for her cringe-worthy raps on TikTok under the moniker Razzlekhan – with conspiring to launder billions of dollars in bitcoin stolen from the crypto exchange Bitfinex in 2016.
There’s a pattern here.
According to Chainalysis, a firm that provides blockchain data and analysis to banks, governments, and other companies, $3.2 billion in bitcoin was stolen from individuals and services in 2021. (According to Reuters, Ronin is also working with Chainalysis to track down the cash taken in the incident.) This sum is about six times what was born in 2020. According to specialists at Chainalysis and other security businesses, more than $1 billion has been stolen so far this year.
Smart contract vulnerabilities
The high-profile hacking and large quantities of money involved have sparked concerns about how vulnerable the blockchain, which has long been a secure location to hold assets, is to such attacks.
According to several experts, the increase in cases of crypto theft is due to the fact that bitcoin is now more extensively used and understood than ever before. “You’re effectively putting a lot of money on the table, and it’s a very public table,” said Nicholas Christin, an associate professor of computer and network security at Carnegie Mellon University. It might be tempting for a hacker to pounce when significant quantities of money are openly moving around on these transparent networks.
Experts believe it’s crucial to distinguish between the blockchain and other programs that run on top of it in order to comprehend how these heists are accomplished. The blockchain is a distributed public ledger that facilitates peer-to-peer transactions. Bitcoin, Ethereum, and Solana are all constructed on top of this underlying layer. Smart contracts, which operate on top of blockchains, form the second most commonly abused layer. Smart contracts are code-based agreements that automatically execute when the contract’s terms are satisfied. The most typical comparison is to a digital vending machine:
- Choose a product.
- Enter the appropriate amount of money.
- Immediately dispose of your item.
These agreements are non-cancelable.
According to Christin, hackers gain access to the money through these second-layer systems by exploiting defects in the code or obtaining the secret keys that allow them to access the systems. Some hackers even use smart contracts to divert payments to their own accounts.
The hacker gained enough secret keys to control the bridge and drain the cash in the Axie Infinity attack on the Ronin Bridge. The payoff was significant because so many people had their assets on the bridge.
“The blockchain system that underpins it is safe,” said Ronghui Gu, founder, and CEO of Certik, a blockchain security startup. “However, the programs that operate on top of them — the smart contracts – are still like any other program, with software defects and vulnerabilities.”
Hackers frequently attempt to exploit the coding of one of their targets. It also helps that much of the code for blockchain systems is open source, making it easy for hackers to examine the code and uncover any problems.
“People say ‘in code we believe,’ yet the code itself is not really trustworthy,” Gu explained. Gu noted that when he first established his blockchain security business in 2018, just a few organizations employed third-party security services like his to audit and review their code—a vital security backup—but that number has progressively increased.
Hackers frequently attack cryptocurrency exchanges. Exchanges are similar to banks because they are central institutions that retain large sums of money for their users, and their transactions are irrevocable. They’re an intermediary software, similar to bridges, that is targeted. “Those large exchanges are carrying a massive bullseye on their back,” Christin explained.
Victims are left with a significant security responsibility.
It can be challenging for burglars to pay out crypto assets once they have been taken, especially if the crime is in the nine-figure area. As a result, money is sometimes stuck in limbo for years, if not eternally. Due to the unpredictable nature of the crypto market, the value of the stolen assets may vary throughout that period.
According to the Chainalysis crypto crime study, criminals already have at least $10 billion in cryptocurrencies, which was gained through theft—although these transactions and holdings can be traced because of blockchain openness, determining the culprit’s identity is difficult until the assets are paid out.
The Bitfinex controversy may be used as a case study in attempted money laundering. “For a very long period, the monies did not move. Then, when they tried to begin the laundering process, this provided a chance for law enforcement to become involved once more because people are paying attention to these hacks, “Kim Grauer, Chainalysis’s director of research, agreed.
There are limited options for victims of the scams to retrieve their assets. “It’s not that horrible for a bank if their security fails,” said Ethan Heilman, a cybersecurity specialist and co-founder of cloud provider BastionZero. “However, if you’re a bitcoin exchange and someone drains all of your cryptocurrency, that’s terrible.” The blockchain lacks the safeguards that banks put in place to protect their customers. If one’s credit card is stolen, insurance coverage usually assures that the money is returned. On the other hand, transactions on the blockchain are permanent- there is no undo button.
As a result, individual users bear a significant security responsibility in order to protect their assets. “End-users may not be aware of the security hazards they are exposing themselves to,” Christin stated. “To be honest, even people in the field don’t have time to look through the source code of a smart contract.”
It’s easy to be a robbery victim if one entrusts their keys to the improper second-layer middleman. Most people aren’t used to this kind of responsibility. According to Heilman, Crypto firms are beginning to take security more seriously, but a future without attacks is unrealistic. He explained, “You never get secure. You grow more secure.” “Given the simplicity with which a weakness in one of these systems can be exploited, I believe we will continue to see things hacked, and the question will no longer be, “Is there a new hack this month?” ‘How frequent are the hacks this month?’ will be.”
“There are significant obstacles that the business must overcome to scale and flourish truly,” Grauer explained, “because you can’t have a healthy expanding market if everyone is frightened of being hacked.”