Axie Infinity: $625 million in cryptocurrency stolen

Through a hack of the blockchain behind the popular online game Axie Infinity, attackers have stolen cryptocurrency equivalent to around $625 million. One of the biggest crypto thefts of all time went unnoticed for around a week in the process.

Million-dollar hack of online game Axie Infinity’s bridge software

Blockchain online game Axie Infinity, released back in 2018 by Vietnamese developer Sky Mavis, fell victim to a multi-million dollar hack. According to the developers’ statement, attackers managed to hack the game’s underlying blockchain Ronin, resulting in a theft of around $625 million.

173,600 units of the digital currency Ethereum (current equivalent: around $600 million) and 25.5 million units of USDC were captured. USDC (USD Coin) is a stablecoin whose value is pegged to that of the real US dollar and can therefore be transferred one-to-one.

According to Sky Mavis, the attack occurred as early as March 23, 2022, but the hack was not noticed until a week later due to feedback from a user who was suddenly unable to make transactions.

Cryptocurrency exchange halted

“We are in contact with security firms of major trading houses and working with investigative agencies as well as forensic experts. At the same time, we have temporarily disabled Ronin Bridge to ensure that no further attacks occur,” the developers continue.

At the same time, they said, they want to make sure that no money captured from users as a result of the hack is lost and are trying to recover the captured amount. According to the developers, the hack succeeded because the attackers used compromised private keys to appropriate the cryptocurrency.

A piquant detail: Apparently, the hackers used a security vulnerability that the developers installed themselves at the end of last year in order to cope with the rapidly increasing number of users. At the time, the team turned to the decentralized organization Axie DAO to perform the fee-free crypto transactions. Although the gap was already closed again in December 2021, the necessary access and action rights were apparently not revoked in the process.

The majority of the cryptocurrency captured by the hackers is still in the possession of the attackers. The money is now said to be tracked to track movements.