The PYMNTS crypto crime series looks at the capers that have not only been committed in the cryptocurrency industry but have defined it — and especially bitcoin — in many people’s minds.
In it, we’ll give you a look at the realities and the myths, the methods and tools, and the ways authorities and private securities are starting to break through the mythical anonymity that many criminals — and honest people — believe shields their transactions absolutely.
PYMNTS Crypto Crime Series:
The $612 Million Heist That Wasn’t
When Privacy Counts, Crypto Users Turn to Mixing Services
The Tale of QuadrigaCX, Canada’s Longest Crypto Ponzi Scheme
Another Day, Another Nine-Figure Crypto Hack
With $1B Hacked, Cross-Chain Crypto Payments May Be in Jeopardy
Bitfinex Using $3.6B Seized in Hacking Arrests to Cover Shadow Banking Losses
In India Hacking Case, Bitcoin Trail Leads to Hamas
Mt. Gox, the Mother of All Crypto Heists
Before we get to, “How do you lose $625 million,” let’s pause to ask, “How do you lose $625 million and not notice for six days?”
Actually, we haven’t gotten an answer for the second one yet, as Ronin Network, the cross-chain payments bridge that was exploited, has only said it “discovered the attack this morning after a report from a user being unable to withdraw 5k ETH” — referring to ether, the No. 2 cryptocurrency.
The latest crypto hack was the largest ever, a title that does not seem to be lasting very long these days. It saw 173,600 ether, worth about $600 million, as well as 25.5 million USDC dollar-pegged stablecoins, drained from the bridge protocol.
Ronin Network is a bridge protocol, a key part of many decentralized finance (DeFi), DApps and platforms that enables users to deposit one cryptocurrency and withdraw a “wrapped” version that is usable on another blockchain. This allows borrowers to make transactions without the hassle and cost of trading one crypto for another on an exchange.
Ronin serves Axie Infinity, the top blockchain-based MMO game. A play-to-earn game with an NFT economy, Axie Infinity’s users are by far the top users and traders of non-fungible tokens: Almost 2.6 million players have bought and sold more than $4 billion worth of NFTs in 15.3 million transactions.
Ronin provides Axie players with a very low-fee way for players to obtain and return the Ethereum — which can command high fees on exchanges — needed to play and transact in the game. That’s key, because there is a large community of players —mostly in low-income countries — earning money and even a living by collecting valuable NFTS to sell to Axie’s more than eight million players.
The game studio behind Axie Infinity, Sky Mavis, has pledged to reimburse players who lost funds. It is also working with various law enforcement agencies and blockchain intelligence firm Chainalysis to track the criminals. Ronin Network has been paused while the investigation continues.
Broken Bridges
In August, the Poly Network bridge serving 15 blockchains lost $612 million to a hacker who spotted a flaw in its smart contracts, letting him drain its coffers — before, miraculously, giving it all back over the next few weeks.
See also: PYMNTS Crypto Crime Series: The $612 Million Heist That Wasn’t
Then last month, on Feb. 2, Ethereum-to-Solana bridge Wormhole was hit with another code exploit in which $326 million was drained. And while it was not returned, the project’s developers and backers made good the losses.
Read more: Another Day, Another Nine-Figure Crypto Hack
“If a bridge has the ability to mint tokens, it’s like taking control of the minting machines,” Yat Siu, co-founder of Animoca Brands, an investor in Sky Mavis, told Bloomberg in a pre-hack interview. “Bridges are authorities at this point, and if they are designed badly or have vulnerabilities, they become a huge risk to the ecosystem.”
This leads us to a third question: After three robberies totaling $1.5 billion since August, why would you possibly entrust your crypto to a bridge protocol?
Staking Uncertainty
Judging by the postmortem by Ronin Network, this exploit showed not just the danger inherent in bridge protocols, but the problem with broader DeFi and proof-of-stake (PoS) consensus mechanisms used to replace the difficult-to-scale and environmentally devastating proof-of-work (PoW) mining consensus mechanism used to secure and add transaction information to bitcoin-style blockchains.
According to Chainalysis’ recent 2022 Crypto Crime Report, $3.2 billion in crypto was stolen from individuals and projects last year. $2.3 billion of that was from DeFi.
You may like: PYMNTS Crypto Basics Series: What’s a Consensus Mechanism and Why Is It Destroying the Planet?
Like other PoS projects, Ronin Networks uses validators who put up stakes that amount to bonds for good behavior, which are automatically “slashed” with fines for bad behavior. That leaves two problems.
First, if the stake is high enough, it’s worth losing those stakes, which generally aren’t too large, in comparison to the value of the crypto involved. That doesn’t appear to be the problem in this case.
The second problem, which is what came back to bite Ronin Network, is that it only had nine validators nodes securing the network, with the approval of five needed to move funds. Four nodes run by Ronin Network and another by Axie Infinity had their passwords hacked, Ronin said. It has added three more validator nodes as an initial precaution.
“The theft came as a result of an attacker hacking the ‘validator nodes’ of the Ronin bridge,” leading blockchain intelligence firm Elliptic explained. “Funds can be moved out there if five of the nine validators approve it. The attacker managed to get hold of the private cryptographic keys belonging to five of the validators, which was enough to steal the cryptoassets.”
At the time of its Tuesday (March 29) blog post, Elliptic said about $41.5 million had been laundered through both centralized and decentralized exchanges, or DEXs. The USD Coins were sold off at several DEXs almost immediately, as many stablecoin issuers can freeze their tokens. Next, $16 million in ethereum was sold through centralized exchanges.
A number of major exchanges, including Binance and Huobi, have pledged to help track and recover any stolen funds with their own security teams. Binance said it has halted deposits and withdrawals of Ronin Network’s RON token, as well as suspending withdrawals of wrapped ether — wETH — and conversions of wETH to the far easier-to-trade ETH. Many cross-chain bridges use wrapped ether.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More