Late last month, hackers made off with what was then worth more than $500m from the systems of cryptocurrency network Ronin, in what is believed to be the second-largest cryptocurrency theft on record.
Ronin was a juicy target for a hacker. The blockchain project supports the wildly popular Axie Infinity video game, which with an estimated 8 million players has drawn comparisons to action-driven collecting games like Pokémon Go.
Axie Infinity is hot and involves substantial sums of money. Players purchase creatures called Axies in the form of NFTs, unique digital assets known as non-fungible tokens. The creatures can breed, battle and even be exchanged for cold, hard cash.
The game has swelled in popularity as players see the potential to earn real money. In 2020, one 22-year-old player from the Philippines reportedly bought two apartments in Manila with his earnings from the game. Last year, another player said he earned more through Axie Infinity and other online games than from his full-time job at Goldman Sachs.
But the underpinnings of the game face significant security challenges. To play, gamers must move their money from Ethereum to Ronin on a blockchain “bridge” system. Ronin is a “sidechain” of Ethereum – a scaling solution that allows transactions to happen faster than on Ethereum, which is congested by the amount of activity it hosts. Hosting the game on this sidechain ensures it can grow without losing functionality. Bridges can hold a lot of money at once, so by targeting the Ronin Bridge that transferred players’ assets between blockchains, hackers seized control of the assets and took off with the money.
The US government said this week it believes North Korean hackers are behind the heist. But it’s just the latest in a string of brazen high-profile crypto thefts. In 2018, more than $530m was stolen from the crypto exchange Coincheck. In February, hackers made off with $320m from the decentralized finance platform Wormhole (though that loot was eventually returned). And in that same month, in perhaps the most publicized cyber heist of the year, prosecutors charged odd couple Ilya “Dutch” Lichtenstein and his wife, Heather Morgan, – also known for her cringeworthy raps on TikTok under the name Razzlekhan – with conspiracy to launder billions of dollars worth of bitcoin stolen from the crypto exchange Bitfinex in 2016.
It’s a trend. In 2021, $3.2bn in cryptocurrency was stolen from individuals and services, according to a crypto crime report by Chainalysis, a company that provides blockchain data and analysis to banks, governments and other businesses. (Ronin is also working with Chainalysis to trace the funds stolen in the hack, according to Reuters.) The figure is almost six times this amount stolen in 2020. So far this year, more than $1bn has already been stolen, according to experts at Chainalysis and other security firms.
Vulnerabilities in smart contracts
The high-profile hacks and substantial sums of money involved have raised questions about how vulnerable the blockchain – long considered a secure place to store assets – is to such breaches.
Some experts say the rise in reports of cryptotheft come as cryptocurrency is more widely used and better understood than ever before.
“You basically have a lot of money on the table, and on a very public table,” said Nicholas Christin, an associate professor at Carnegie Mellon University who researches online crime and computer and network security. With large sums of money publicly moving around on these transparent systems, it can be enticing for a hacker to pounce.
To understand how these heists are possible, it’s important to distinguish between the blockchain and other programs that operate on top of it, experts say. The blockchain itself is a decentralized public ledger that allows for peer-to-peer transactions. It’s the foundational layer that bitcoin, Ethereum or Solana are built upon.
The second layer – the one that’s frequently exploited – are smart contracts that run on top of blockchains. Smart contracts are agreements in code that automatically execute when the terms of the contract are met. The common analogy is to a digital vending machine – select a product, put in the correct amount of money, and your item will be automatically dispensed. These contracts are irreversible.
The hackers weasel their way to the money through these second-layer systems by either taking advantage of bugs in the code, or getting hold of the private keys that will let them into the systems, explained Christin. Some hackers even subvert the smart contracts to redirect the funds into their hands.
In the Axie Infinity hack, which targeted the Ronin Bridge, the hacker obtained enough private keys to control the bridge and drain the funds. Since so many users had their assets in the bridge, the payout was massive.
“Underlying blockchain protocol is secure,” said Ronghui Gu, founder and CEO of the blockchain security firm Certik. “But the programs – the smart contracts – running on top of them are still like other normal programs, which can have software bugs and vulnerabilities.”
It’s common for hackers to try to exploit the code of one of their targets. And it helps that much of the code for blockchain programs is open source, making it easily accessible for hackers who want to look over the code and find potential bugs.
“In this world people say ‘in code we trust,’ but the code itself is indeed not that trustworthy,” said Gu. When he started his blockchain security firm in 2018, Gu explained, only a few companies used third-party security services like his to audit and assess their code – a critical security backstop – but he’s seen the number gradually tick up.
Crypto exchanges are also major targets for hacks. Exchanges are like banks, they’re central entities that hold massive amounts of their users’ money and transactions are irreversible. Like bridges, they are a middleman program that tends to be targeted. “Those big exchanges have a huge target on their back,” said Christin.
Victims left with big security burden
Once crypto assets are stolen it can be a challenge for thieves to cash out, especially if the heist is in the nine-figure range. That means funds are often left in limbo for years, or even indefinitely. During that time, the value of the stolen funds can fluctuate due to the volatile nature of the crypto market.
The Chainalysis crypto crime report estimates that criminals are currently holding at least $10bn worth of cryptocurrency, the vast majority obtained through theft. Thanks to transparency on the blockchain, it’s possible to trace these transactions and holdings, but the identity of the perpetrator is hard to nail down until the funds are cashed out.
One can look to the Bitfinex scandal as a case study in attempted laundering. “The funds didn’t move for an extremely long time. And then when they tried to initiate the laundering process, this was an opportunity for law enforcement to get involved again, because people are following these hacks,” said Kim Grauer, director of research at Chainalysis.
For victims of the schemes, there are few ways to recover assets. “If a bank’s security fails, it’s not that bad for the bank,” said Ethan Heilman, a cybersecurity expert and co-founder of the cloud service BastionZero. “But if you’re a cryptocurrency exchange and someone empties out all your cryptocurrency that’s really bad for you.” Banks have measures in place to protect their clients that the blockchain lacks. If one’s credit card is stolen, insurance policies ensure that one will usually receive that money back. On the blockchain, however, transactions are irreversible – there is no undo button.
That means there is a tremendous security burden on individual users to keep their assets safe. “End users may not necessarily be cognizant of the security risks that they incur,” said Christin. “Quite frankly, even people in the field don’t have time to necessarily go and review some smart contract source code.”
If one entrusts their keys to the wrong second-layer intermediary, it’s possible that they could be a victim of a heist. Collectively, most aren’t used to this responsibility.
Crypto companies are beginning to get more serious about security, Heilman said, but a world without hacks is not realistic, he added. “You never become secure, you just become more secure,” he said. “So given the ease of monetizing a vulnerability in one of these systems, I think that it is likely that we will continue to see things get hacked, and the question will not be, ‘is there a new hack this month?’ It will be: ‘how frequent are the hacks this month?’”
“There are important things that the industry needs to overcome in order to actually really grow and scale,” said Grauer, “because you can’t have a healthy growing industry if everyone is afraid of getting hacked.”