March 29th was an extremely damaging day for the crypto community, a $625 million hack that reduced funds in Ronin, the blockchain that hosts the hugely popular Axie Infinity game.
Despite the eye-watering sum, however, experts told CoinDesk in a series of interviews that it’s unlikely the attacker will ever get to enjoy their ill-gotten gains.
On Tuesday, Axie developer Sky Mavis announced in a blog post that the exploit resulted in losses of over 173,000 ETH and 25.5 million USDC, worth more than $625 million at the time of publication.
Immediately after the attack, however, observers noted that the hacker used centralized exchanges to both fund the address that launched the attack, and that they have been depositing thousands of ETH to exchanges including Huobi, FTX and Crypto.com – a move that many security experts have characterized as a likely misstep.
Because these platforms have know-your-customer (KYC) verification systems, these deposits could be used to discover the hacker’s identity and ultimately force them to return the funds.
“If I was in their shoes, I would seek to get out of this situation as quickly as possible,” blockchain analytics firm Elliptic co-founder Tom Robinson told CoinDesk. “That might include returning the funds.”
Know your exploiter
The attacker’s current method of trying to launder funds through centralized exchanges struck a range of experts across the industry as odd.
“It’s unusual to see such direct flows of funds from thefts to large exchanges,” Robinson said. “They might have purchased accounts, or they could be using an intermediary to launder on their behalf.”
In an exclusive from October, CoinDesk found that there is a flourishing black market for KYC’d accounts at centralized exchanges. However, Robinson noted that the exchanges being used, including FTX and Crypto.com, have strong reputations for regulatory compliance and KYC.
In all, he characterized the attacker’s current efforts to launder their funds as “surprisingly naive.”
“That doesn’t quite match with the sophistication that it would seemingly require to compromise these validators and get their private keys,” he added.
A more common strategy from exploiters is to use a mixer like Tornado Cash, send stolen funds through non-KYC’d exchanges and generally “not rushing to cash out everything straight away, maybe waiting years even,” said Robinson.
Indeed, the broader crypto community has expressed befuddlement at the attacker’s laundering strategy.
As is often the case in the aftermath of an attack, Ethereum users have been using the network to communicate with the attacker, and in one case an individual has attempted to give the attacker tips for how to better launder their ETH.
“Hello, [your] initial deposit was from Binance, be careful and be sure to use tornado.cash you must leave the funds in for multiple days or it can be traced,” they wrote to the attacker’s address as part of an Ethereum transaction. “Afterwards you should use stealthex.io to swap to other currencies over a long period of time. Thanks, feel free to tip / retire me.”
However, even with rigorous privacy-preserving tools and a careful plan, Robinson told CoinDesk it’s extraordinarily difficult to launder a sum as large as $600 million. Indeed, despite the alleged launderers taking a number of precautions over a period of years, U.S. officials seized $3.6 billion in bitcoin related to the 2016 Bitfinex hack just last month.
Fumbling the bag
If Axie does have information on the attacker, identifying hackers has proven to be a successful tactic for developers in the past.
When reached by CoinDesk, blockchain sleuthing firm Chainalysis declined to comment, citing involvement in the ongoing investigation.
Last September, in one of the most colorful hacking incidents in blockchain history, developers of the Jay Pegs Auto Mart non-fungible token (NFT) drop successfully intimidated a hacker into returning funds by – among other tactics – ordering miso soup to their house.
Former Sushi Chief Technology Officer Joseph Delong, who was involved with the Jay Pegs negotiations, said that identifying a hacker can help “prevent an anonymous getaway” and will increase public pressure.
“People will get angry at you doxxing the attacker but those cryptoanarchists can go f**k themselves with their superiority complex,” Delong said in a Tuesday interview.
“Laundering $600 million, I don’t think it’s possible,” said Adrian Hetman, a DeFi expert at Immunefi, a bug bounty service. “The best-case scenario is instead of black-hatting your way into the protocol, you should use that knowledge to submit bugs on a bug bounty platform – you could easily become a millionaire.”
Sushi’s Delong also noted that giving the hacker options can be a useful tool, such as a “clear bounty program and partners like Immunefi to help.”
Indeed, Immunefi is among the slew of services that have emerged as DeFi and Web 3 look to secure the ecosystem from the rising tides of hacks. Immunefi alone has paid out $20 million in bug bounties, and currently has $120 million available for white hats, coding lingo for the benevolent opposite of black-hat hackers who abscond with stolen funds rather than reporting vulnerabilities.
History shows that attempting to steal and launder $625 million may have been the lowest-upside option for the attacker. Last August the hacker who managed to swipe $611 million from Poly Network ultimately returned the funds after deciding it would be impossible to cash out.
“I think either he gets caught, or he’s forced to return the funds. Or both,” said Hetman of the Ronin hacker.
Ideological motivations
In a worst-case scenario for Axie Infinity, however, the exploiter might not even care about the money at all.
“I think that – fundamentally – the ideology of the exploiter is the key thing to consider when you’re talking about GDP-sized figures acquired through hacks,” said Laurence E. Day, a blockchain developer and scholar. “If they’ve simply done it to send a message about vulnerability or ‘because-they-could, consequences be damned,’ the question ‘was it worth it’ depends on whether they consider that sufficient self-validation as to their skill.”
Day is intimately familiar with hackers looking to send a message. Last October, a protocol Day contributed to, Indexed Finance, was exploited by a Canadian teenage math prodigy, Andean “Andy” Medjedovic.
Disclaimer
The information provided on this page
does not constitute investment advice, financial
advice, trading advice, or any other sort of advice
and it should not be treated as such. This content is
the opinion of a third party and this site does not
recommend that any specific cryptocurrency should
be bought, sold, or held, or that any crypto
investment should be made. The Crypto market is
high-risk, with high-risk and unproven projects.
Readers should do their own research and consult a
professional financial advisor before making any
investment decisions.
INVESTMENTS DISCLAIMER
Although the material contained in this website was prepared based on information from public and private sources that KavaWire.com believes to be reliable, no representation, warranty or undertaking, stated or implied, is given as to the accuracy of the information contained herein, and KavaWire.com expressly disclaims any liability for the accuracy and completeness of the information contained in this website.
