$625 Million Stolen in Axie Infinity NFT Digital Heist

The blockchain system running the popular NFT game Axie Infinity has been hacked in a digital heist of around $625 million in digital assets.

The Ronin Network posted a blog Tuesday saying it had been "exploited" for 173,600 Ethereum and 25.5 million USDC. It's now working with law enforcement, forensic cryptographers, and its own investors to ensure that "all funds are recovered or reimbursed."

Ronin Network said it discovered Tuesday that the validator nodes on the Ronin validator for Axie Infinity development studio Sky Mavis, and the Axie DAO nodes, were compromised one week earlier. Two transactions took place, with the hacker using "private keys" to make fake withdrawals.

"The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator," Ronin Network said. "This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.

"Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC. We have confirmed that the signature in the malicious withdrawals match up with the five suspected validators."

Ronin Network says it now requires eight validations, up from five, on all deposits and withdrawals to prevent future heists. Users are currently unable to deposit or withdraw funds on Ronin Network as the company works to secure the network and recover the stolen funds.

Axie Infinity is one of the most popular NFT-based games on the market, with Sky Mavis claiming it's seen $4 billion in NFT sales on the platform.