Late last month, hackers got rid of what was then worth more than $ 500 million from the cryptocurrency network Ronin’s systems, in what is believed to be the second largest cryptocurrency theft ever.
Ronin was a juicy target for a hacker. The blockchain project supports the wildly popular video game Axie Infinity, which with an estimated 8 million players has drawn comparisons with action-driven collectibles like Pokémon Go.
Axie Infinity is hot and involves significant sums of money. Players buy creatures called Axies in the form of NFTs, unique digital assets known as non-fungible tokens. The creatures can breed, fight and even be exchanged for cold, hard cash.
The game has grown in popularity as players see the potential to make real money. In 2020, a 22-year-old player from the Philippines reportedly bought two apartments in Manila with his earnings from the game. Last year, another player said he earned more through Axie Infinity and other online games than on his full-time job at Goldman Sachs.
But the foundation of the game faces significant security challenges. To play, players must move their money from Ethereum to Ronin on a blockchain “bridge” system. Ronin is a “side chain” of Ethereum – a scaling solution that allows transactions to happen faster than on Ethereum, which is overloaded by the amount of activity it hosts. Hosting the game on this side chain ensures that it can grow without losing functionality. Bridges can hold a lot of money at once, so by targeting the Ronin Bridge, which transferred players’ assets between blockchains, hackers took control of the assets and took speed with the money.
The U.S. government said this week that it believes North Korean hackers are behind the theft. But it’s just the latest in a series of cheeky high-profile cryptocurrencies. In 2018, more than $ 530 million was stolen from the cryptocurrency exchange Coincheck. In February, hackers dropped $ 320 million. from the decentralized financial platform Wormhole (though that prey was eventually returned). And in the same month, in perhaps this year’s most notorious cyber theft, prosecutors accused the odd couple Ilya “Dutch” Lichtenstein and his wife, Heather Morgan, – also known for their spooky rapeseed on TikTok under the name Razzlekhan – of conspiracy to launder billions of dollars of bitcoin stolen from the crypto exchange Bitfinex in 2016.
It’s a trend. In 2021, $ 3.2 billion in cryptocurrency was stolen from individuals and services, according to a report on cryptocurrency from Chainalysis, a company that provides blockchain data and analytics to banks, governments and other companies. (Ronin is also working on Chainalysis to track the funds stolen in the hack, according to Reuters.) The figure is almost six times this amount that was stolen in 2020. So far this year, according to experts, more than 1 billion have already been stolen . at Chainalysis and other security companies.
Vulnerabilities in smart contracts
The high-profile hacks and significant amounts involved have raised questions about how vulnerable the blockchain – long considered a safe haven to store assets – is to such breaches.
Some experts say the increase in reports of cryptocurrency theft is coming because cryptocurrency is more prevalent and better understood than ever before.
“You basically have a lot of money on the table, and on a very public table,” said Nicholas Christin, an associate professor at Carnegie Mellon University who researches online crime and computer and network security. With large sums of money moving around publicly on these transparent systems, it can be tempting for a hacker to throw himself out.
To understand how these robberies are possible, it is important to distinguish between blockchain and other programs that work on top of it, experts say. The blockchain itself is a decentralized public ledger that allows for peer-to-peer transactions. It is the basic layer on which bitcoin, Ethereum or Solana are built.
The second layer – the one that is often exploited – is smart contracts running on top of blockchains. Smart contracts are agreements in code that are executed automatically when the terms of the contract are met. The usual analogy is for a digital vending machine – select a product, enter the correct amount and your item will be delivered automatically. These contracts are irreversible.
The hackers roll over to the money through these second-tier systems by either taking advantage of errors in the code or grabbing the private keys that will lock them into the systems, Christin explained. Some hackers even undermine the smart contracts to redirect the funds to their hands.
In the Axie Infinity hack, which was aimed at the Ronin bridge, the hacker got enough private keys to control the bridge and drain the funds. Since so many users had their assets in the bridge, the payout was massive.
“The underlying blockchain protocol is secure,” said Ronghui Gu, founder and CEO of blockchain security firm Certik. “But the programs – the smart contracts – that run on top of them are still like other normal programs, which can have software bugs and vulnerabilities.”
It is common for hackers to try to exploit the code for one of their targets. And it helps that much of the code for blockchain programs is open source, making it easily accessible to hackers who want to look over the code and find potential bugs.
“In this world, people say ‘in code we trust’, but the code itself is actually not that credible,” Gu said. When he started his blockchain security company in 2018, Gu explained, only a few companies used third-party security services like his to revise and evaluate their code – a critical security backstop – but he has seen the number gradually increase.
Crypto exchanges are also important targets for hacks. Stock exchanges are like banks, they are central entities that have huge amounts of their users’ money, and transactions are irreversible. Like bridges, they are an intermediary program that tends to be targeted. “The big stock markets have a big goal on their backs,” Christin said.
Victims left with large security burden
Once cryptocurrencies are stolen, it can be a challenge for thieves to pay out money, especially if the robbery is in the nine-digit range. This means that funds are often left in limbo for years or even indefinitely. During that time, the value of the stolen funds may fluctuate due to the volatile nature of the crypto market.
The Chainalysis report on cryptocurrency estimates that criminals currently hold at least $ 10 billion. USD in cryptocurrency, the vast majority obtained through theft. Thanks to blockchain transparency, it is possible to track these transactions and holdings, but the identity of the perpetrator is difficult to determine until the money is paid out.
The Bitfinex scandal can be seen as a case study in an attempt at money laundering. “The men did not move for an extremely long time. And when they then tried to initiate the money laundering process, this was an opportunity for law enforcement to get involved again because people are following these hacks,” said Kim Grauer, research director at Chainalysis.
For victims of the schemes, there are few ways to recover assets. “If a bank’s security fails, it’s not that bad for the bank,” said Ethan Heilman, a cybersecurity expert and co-founder of cloud service BastionZero. “But if you’re a cryptocurrency exchange and someone empties all your cryptocurrency out, it’s really bad for you.” Banks have measures in place to protect their customers that blockchain lacks. If your credit card is stolen, insurance companies will usually get their money back. On the blockchain, however, transactions are irreversible – there is no undo button.
This means that there is a huge security burden for individual users to keep their assets safe. “End users may not necessarily be aware of the security risks they incur,” Christin said. “Honestly, even people in the field do not have time to necessarily go and review some smart contract source code.”
Leaving their keys to the wrong middleman on the second tier makes it possible for them to fall victim to a robbery. Overall, most people are not used to this responsibility.
Cryptocurrencies are starting to get more serious about security, Heilman said, but a world without hacks is not realistic, he added. “You never get safe, you just get more confident,” he said. “So given how easy it is to monetize a vulnerability in one of these systems, I think it’s likely we’ll continue to see things hacked and the question will not be, ‘there’s a new hack In this month?’ It will be: ‘how frequent are the hacks this month?’ ”
“There are important things that the industry needs to overcome to actually grow and scale,” Grauer said, “because you can not have a healthy growing industry if everyone is afraid of being hacked.”