More than $600mn has been stolen from the digital ledger that powers the popular cryptocurrency game Axie Infinity, in one of the largest hacks targeting the booming digital assets sector.
Ronin Network, a program that allows users to transfer assets in and out of Axie, on Tuesday said it had discovered a security breach that resulted in 173,600 ether and 25.5mn USD Coin being removed by unidentified hackers from the system on March 23.
Ronin said it was “working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed”. The cryptocurrencies would be worth about $615mn at current prices.
“We moved swiftly to address the incident once it became known and we are actively taking steps to guard against future attacks,” Ronin said, adding it had “paused” the Ronin Bridge that allows for transfers in and out of the network.
Ronin’s hack adds to a growing list of major security breaches affecting popular cryptocurrency applications as millions of new users enter the fast-growing market. Last August, a hacker stole more than $600mn of cryptocurrencies from the Poly Network program, but later returned the money.
Users lost $1.3bn of funds from 44 attacks in the broader decentralised finance system last year, an increase of about 160 per cent from the previous year, according to the cryptocurrency security company Certik.
Axie has quickly grown to become the most visible example of so-called play-to-earn gaming, allowing users in countries such as the Philippines to earn cryptocurrency from battling digital monsters.
The number of daily users in Axie reached 2mn last October, the game’s developer Sky Mavis said at the time. Andreessen Horowitz and other investors in Sky Mavis have valued it at $3bn.
The Ronin network has played a key role in the growth of Axie, acting as a bridge from the broader cryptocurrency markets to the game’s complex economy. Sky Mavis designed the digital ledger to be cheaper and faster at processing transactions than the popular Ethereum blockchain.
Ronin said it had discovered the hack on Tuesday after a user unsuccessfully attempted to withdraw 5,000 ether worth about $17mn, six days after the attack took place.
In a blog post, Ronin said the hacker had targeted what are known as “validator nodes”, computers that help process transactions on the network. The attacker used “hacked private keys” to make the withdrawals, Ronin said.
Ronin said it would increase the “validator threshold” needed to approve transactions from five to eight, out of a total of nine validators, to “prevent further short term damage”.
The digital token associated with Ronin fell more than 20 per cent on the news.
For the latest news and views on fintech from the FT’s network of correspondents around the world, sign up to our weekly newsletter #fintechFT
Sign up here with one click