Axie Infinity is perhaps the biggest success story when it comes to NFT gaming. What started in 2018 as a simple Pokemon-style creature collecting game has since grossed over $4 billion in sales and boasted more than 1.8 million daily active users in August of last year. The game is particularly popular in the Philippines where its play-to-earn model even lets people play the game as a full-time job--a concept not entirely unheard of in popular MMOs.
However, it seems that success has also brought some unwanted attention. Today, one of the blockchains that handle transactions for Axie Infinity reported a security breach that resulted in the loss of around $600 million in cryptocurrency.
"Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions," reported Ronin, one of the two blockchains that power Axie Infinity's NFT-based economy (via Kotaku). "The attacker used hacked private keys in order to forge fake withdrawals."
Because these withdrawals were made on the blockchain, you can actually still see the crypto wallet where the funds were allegedly drained. Ronin is now working with law enforcement to recoup the stolen funds.
The funny part is, this whole hack wouldn't have been possible without Axie Infinity's massive success. Developer Sky Mavis ran into a problem late last year when there were simply more transaction requests than the game could handle. In order to speed up transaction time, Sky Mavis asked Ronin if it could authorize transactions on its own behalf. Ronin agreed to temporarily grand these privileges and thought it had withdrawn said privileges in December 2021, but it turns out that one of Ronin's verification nodes still recognized that special allowance.
The alleged hacker was able to use that node to obtain access to a majority of Ronin's validators, essentially letting them do whatever they want with the crypto network. And what they wanted was obviously money.
This is hardly the first major heist in cryptocurrency markets, but authorities are getting a lot better at tracking down crypto thieves. One of the biggest heists in crypto history recently came to an end after the US Department of Justice reported billions in Bitcoins had been recovered from two alleged cybercriminals.