In what might be the biggest crypto hack to date, around $622 million has been stolen from a blockchain-based gaming network.
The Ronin Network, which powers the super popular Axie Infinity game, confirmed the security breach on Twitter today. According to the network’s Substack post, Ronin was exploited for 173,600 Ethereum and 25.5 million USDC.
“We are working with law enforcement officials, forensic cryptographers, and our investors to make sure that all funds are recovered or reimbursed,” the Ronin Network tweeted.
To approve any withdrawal or deposit, Ronin requires five of its nine validators to sign off on transactions to ensure funds are not moved by anyone with malicious intent. The attacker was able to control four Ronin validators and one validator linked to the Axie DAO–the decentralized autonomous organization associated with Axie Infinity.
The attacker used “hacked private keys,” or passwords, “in order to forge fake withdrawals,” according to Ronin’s Substack post.
Going forward, Sky Mavis, the company that created Axie Infinity and Ronin, says it will require eight of nine validators to move funds, and plans to increase the amount of validators over time.
“As we’ve witnessed, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats,” Ronin wrote in its Substack post. “We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks.”
These hacks aren’t abnormal in the crypto space. For example, a hacker stole $611 million from the decentralized finance (DeFi) protocol Poly Network in August, though the majority of funds was ultimately returned.
This story was originally featured on Fortune.com