Who is Behind the Axie Infinity Hack? Unpacking What We Know


Axie Infinity, an NFT-based pet battler similar to Pokémon, was the target of one of the largest hacks in cryptocurrency history in late March 2022. Malicious actors made off with 173,600 ETH and 25.5 million USDC, valued at $625 million when the hack was announced by Sky Mavis, the company behind Axie Infinity. 

The hack targeted Ronin, Sky Mavis’ Ethereum sidechain that handles all of the transactions for the game. Sidechains have become commonplace for Ethereum-based games since they alleviate pressure on the Ethereum blockchain and save users money on transaction fees. 

The story has continued to evolve over the past few weeks as law enforcement and blockchain analysts followed the trail. The FBI has announced it believes a North Korean hacker group known as The Lazarus Group is responsible for the historic hack. 

Despite identifying the group responsible for the hack, the pilfered funds continue to be laundered. The transparent nature of the Ethereum blockchain allows anyone to watch the funds move. Still, law enforcement and the company behind Axie Infinity are powerless to reclaim them unless the funds move to a cooperating organization – like Binance. 

How did the hacker group manage to steal so much money? Why does the FBI believe North Korean hackers are responsible? Perhaps most importantly, what can investors learn from the hack? Read on to explore these questions.

North Korean Hacker Group Linked to Axie Infinity Hack

Ethereum is a fully transparent blockchain, just like Bitcoin, which means anyone was able to see the wallet addresses involved in the hack. So the tricky part becomes understanding the person or party behind the wallet addresses. 

The U.S. Treasury Department was updating its sanctions listing on the Lazarus Group and discovered that wallet addresses involved are linked to the hackers. Blockchain analysis company Chainalysis reports that this connection confirms the involvement of the hacker group in the Axie Infinity hack. 

The Lazarus Group is believed to employ roughly 6,000 people and has been active since the mid-1990s. The United States has since pushed the U.N. Security Council to blacklist the Lazarus Group and freeze all known assets. 

Due to linking the attack to the infamous hacking group, it’s unlikely the hack was carried out by a lone actor but was instead a coordinated attack with an unknown number of malicious actors. 

Stolen Funds Are Successfully Being Laundered

Even with plenty of sanctions, the hackers are successfully laundering their stolen funds even with the world watching. The hacker group uses cryptocurrency tools designed to obfuscate the source and destination of cryptocurrencies. 

The group is primarily using a service called Tornado Cash, and it’s estimated that 18% of the stolen funds, roughly US$100 million, have been successfully laundered. The hacker group transfers their stolen funds to the service, mixing them up and sending them to unknown wallets. 

Binance Recovers $5.8 Million of Stolen Funds

The malicious actors transferred some of their loot to Binance, a popular cryptocurrency exchange, and the funds were promptly frozen. The coins were spread out over 86 accounts and totaled US$5.8 million. While this is only a tiny fraction of the stolen crypto, it serves as a warning sign to any other would-be bad actors that might try to use Binance. 

There’s a wide world of cryptocurrencies and blockchain projects for investors to explore as they create their portfolios. The key to building your ideal portfolio is understanding how to mix and match these coins and tokens to suit your specific risk tolerance.

Get to know more about cryptocurrencies and the services we provide:

How Did the Even Hackers Pull it Off?

Let’s back up; how did this even happen? Does this mean that cryptocurrency isn’t as infallible as we’ve believed?

Don’t worry; the problem isn’t related to blockchain’s security. Instead, the hack was only possible by exploiting the human element involved in managing the Ronin sidechain. Known as social engineering, the hackers involved were able to target employees of Sky Mavis to gain access to the company-controlled validator nodes. 

It’s the same general idea as someone calling you and pretending to be your bank, only to extract personal information from you used for nefarious purposes. But this social engineering attack was more complex than getting your bank password. 

Ronin is a sidechain that uses proof-of-stake validator nodes rather than the energy-intensive machines used in proof-of-work blockchains, such as Bitcoin. The Ronin blockchain only had nine total nodes validating transactions, which the company admits was a shortcut to handle the explosion in its user base. 

The hackers exploited employees at Sky Mavis to obtain private security keys that granted access to four of the company-controlled validator nodes. Then, they gained access to an additional node controlled by the community. With five out of nine nodes under their control, the hackers could circumvent the security protocols and approve any transactions they wanted.

The Axie Infinity hack is a prime example of the long-fabled 51% attack discussed since the early days of Bitcoin. If someone controls more than half of the network, they can validate and process any transactions. 

So, the issue was Sky Mavis designing a sidechain with shockingly few validator nodes alongside its employees being exploited by successful social engineering attempts. 

What Can Investors Learn from the Axie Infinity Hack?

Investors interested in buying popular cryptocurrencies, holding them for a while, and then selling them for profit don’t have much to worry about. The Axie Infinity hack targeted an Ethereum sidechain used to operate a video game; it’s a far cry from buying and selling Bitcoin. 

However, investors who like to venture into emerging platforms, especially those that dominate news cycles as Axie Infinity has, have a few lessons from the hack.

Do Your Own Research

Known as DYOR, this adage has dominated cryptocurrency circles for years. When a new blockchain, play-to-earn game, or sidechain starts gaining momentum, it’s vital to research it before investing. Researching Ronin revealed that the company controls nearly half of the validator nodes, and only nine nodes are involved. This information should raise red flags as it’s not a genuinely decentralized platform and has a single point of failure – the company.

Not Your Keys, Not Your Coins

This phrase demonstrates that if someone else controls your coins, you don’t truly own them. Sky Mavis has assured users that no NFTs were lost, but plenty of Ethereum extracted from the game was. The company did not disclose how many users lost money, but customers who trusted Sky Mavis and Ronin with their funds made them vulnerable and not in proper control of their coins. 

This adage is less accurate due to the growing number of reputable custodial wallet companies. Still, investors need to understand the company controlling their investments.

Understand Your Risk Tolerance

Even without historic hacks, putting money into a blockchain game is a risky maneuver. The game might lose momentum or could even be a scam. So understand your risk tolerance with any funds you invest in riskier platforms, such as NFT-focused games.

Cybersecurity is Vital to All Financial Platforms

The Axie Infinity hack will be remembered as a cybersecurity failure rather than an issue inherent to blockchain technology. But unfortunately, social engineering cybercrimes will continue to target financial institutions regardless of whether they’re involved in cryptocurrency or fiat currency. 

Coinmotion understands the importance of cybersecurity and has taken every precaution to curb any cybersecurity attacks, including social engineering. Our service focuses on protecting the funds of our customers. Setup an account with Coinmotion today to safely and securely invest in cryptocurrency. 

The views, thoughts, and opinions expressed in the text belong to the author and not necessarily to the author’s employer, organization, committee, or other group or individual.

This week's Technical Analysis

Share on

Notify of
Inline Feedbacks
View all comments

Share on