North Korea, NFTs and a hit video game: $ 500m cryptocurrency theft inside | Blockchain

LLast month, hackers believed the cryptocurrency network was worth more than $ 500 million, the second largest cryptocurrency theft ever recorded.

Ron was a juicy target for a hacker. The blockchain program supports the very popular Axie Infinity video game, which has 8 million players compared to action-driven collection games like Pokémon Go.

Axie Infinity is hot and covers a considerable amount. Players buy creatures called Axies in the form of NFTs, which are unique digital assets called fungal tokens. Creatures can breed, fight and even exchange for cold, hard money.

This game has become popular because players see the ability to make real money. In 2020, a 22-year-old player from the Philippines reportedly bought two apartments in Manila with his earnings through the game. Last year, another player claimed to have earned more through his Axis Infinity and other online games than his full-time job at Goldman Sachs.

But the foundation of the game faces significant security challenges. To play, gamers must move their money from Ethereum to Ronin in the blockchain “Bridge” system. Ronin is a “sidechain” of Ethereum – a scaling solution that allows transactions to run faster than Ethereum, which causes congestion by the size of the hosting process. Hosting the game in this sitechain ensures that it can grow without losing functionality. Bridges can hold a lot of money at once, so hackers took control of the property and took the money, targeting Ron’s Bridge, which transferred players’ property between blockchains.

This untitled manual image from the blockchain based game Axis Infinity is found in the game assets called ‘Axis’. Photo: Sky Mavis / Reuters

The U.S. government said this week that it believed North Korean hackers were behind the theft. But this is very recent. In 2018, more than $ 530 million was stolen from the crypto exchange CoinSec. In February, hackers received $ 320 million in cash from a decentralized financial site Wormhole (although the robbery was eventually withdrawn). In the same month, in this year’s most popular cyber theft, prosecutors have charged the odd couple Ilya “Dutch” Liechtenstein and his wife Heather Morgan – known as Ruslecon for his horrific raps on Dictok – with conspiracy. In 2016 the crypto exchange laundered billions of dollars worth of bitcoins stolen from Pitfinex.

This is a trend. In 2021, $ 3.2bn of cryptocurrency was stolen from individuals and services, according to the cryptocurrency report of Chainalysis, a company that provides blockchain data and analysis to banks, governments and other businesses. (According to Reuters, Ron is working with Synolysis to find the stolen funds in The Hague.) This figure is almost six times higher than the amount stolen in 2020. So far this year, $ 1bn has already been stolen, according to experts. In Chainalysis and other security companies.

Vulnerabilities in smart contracts

High-level hacks and substantial amounts of money have raised questions about how vulnerable blockchain – which has long been considered a safe haven for storing assets – can be.

Some experts say reports about cryptocurrency are on the rise as cryptocurrency is more widely used and well understood than ever before.

“You basically have a lot of money at the desk and at the public table,” said Nicholas Christine, an associate professor at Carnegie Mellon University who researches online crime and computer and network security. Since large sums of money are circulating in these open systems, it could be a hacker’s ploy.

To understand how these thefts are possible, experts say it is important to distinguish between blockchain and other programs that operate on it. Blockchain is a decentralized publication that allows peer-to-peer transactions. This is the foundation layer on which Bitcoin, Ethereum or Solana are built.

The second layer – one that is often exploited – is smart deals running on blockchains. Smart contracts are contracts that are in the code that are automatically executed when the terms of the contract are fulfilled. A common analogy to the digital vending machine – select an item, add the right amount of money and your item will be automatically distributed. These agreements are irrevocable.

Christine explained that hackers make money through these second-tier systems by using bugs in the code or by capturing private keys that allow access into computers. Some hackers smash smart deals to get the funds back into their hands.

At Oxy Infinity Hack, which targeted Ron’s Bridge, the hacker obtained enough private keys to control the bridge and drain the funds. The money was high as many users kept their assets on the bridge.

“Basic blockchain protocol is secure,” said Rongkui, founder and CEO of blockchain security firm Certik. “But programs – smart deals – are just like any other normal program that runs on top of them, and may contain software bugs and vulnerabilities.”

It is common for hackers to try to use the code of one of their targets. This allows most of the code for blockchain programs to be open source, making it easily accessible to hackers who want to look at the code and detect potential bugs.

“People in this world say ‘in the code we believe in,’ but that code is not really reliable,” Gu said. When he started his blockchain security company in 2018, only a few companies used third-party security services to audit and evaluate their code – an important security pinstop – but he saw a gradual increase in the number.

Crypto exchanges are also key targets for hacks. Transactions are like banks, they are central institutions that hold the money of a large number of users and the transactions are unchangeable. Like bridges, they are an intermediary project and they are targeted. “Those big exchanges have a big goal in their backs,” Christine said.

The victims left Large safety load

Once crypto assets are stolen, it can be challenging for thieves to get the money, especially if the theft is in the nine count range. That means funds will often be pulled for years or indefinitely. At that time, the value of stolen funds may change due to the volatility of the crypto market.

The Chainalysis cryptocurrency report estimates that criminals currently have at least $ 10bn worth of cryptocurrency, most of which was obtained through theft. Thanks to the transparency in blockchain, it is possible to trace these transactions and stocks, but it is difficult to identify the culprit until the funds are monetized.

One can look at the Pitfinex scandal as a case study in a laundry attempt. “Funds didn’t move for very long. Then when they tried to start the laundry process, it was an opportunity for law enforcement to get involved again because people were following these hacks,” said Kim Greer, research director at Sinolysis.

For those affected by the plans, there are some ways to recover the assets. “If a bank’s security fails, it’s not so bad for the bank,” said Ethan Heilman, a cybersecurity expert and co – founder of the cloud service BastionZero. “But if you have a cryptocurrency exchange, it’s too bad for you if someone empties your cryptocurrency.” Banks have taken steps to protect their customers who do not have blockchain. Insurance policies guarantee that if a person’s credit card is stolen, the money will usually be refunded. In Blockchain, however, transactions are unchangeable – there is no undo button.

That means there is a huge security burden for individual users to keep their assets safe. “End users do not need to be aware of the security risks to themselves,” Christine said. “Frankly, even those in the field do not have time to review some smart contract source code.”

If someone hands over their keys to the wrong second tier broker, they are more likely to fall victim to theft. Overall, most people do not accept this responsibility.

Crypto companies are starting to talk more seriously about security, Hellman said, but the world without hacks is not realistic, he added. “You can never be safe, you are very safe,” he said. “So, since it’s easy to monetize a victim in one of these systems, I think we’ll continue to see things being hacked, and ‘Is there a new hack this month?’ There will be no question of: ‘How often are there hacks this month?’

“There are really important things that the industry needs to overcome to grow and scale, because you can’t have a healthy growing business if everyone is afraid they will be hacked,” Greer said.

Leave a Comment