Blockchain project Ronin, behind the popular online game Axie Infinity, said Friday it had made some headway in probing a cyber heist that compromised $615 million in virtual assets, citing an “external breach.”
This followed a warning from the Bangko Sentral ng Pilipinas to the public regarding the risks of non-fungible tokens (NFTs) following the reported theft from a digital ledger used by players of Axie Infinity.
About 35 percent of traffic in Axie Infinity comes from the Philippines, accounting for the biggest share of its 2.5 million daily active
Bridget Rose Mesina-Romero, BSP Payment System Oversight Department Deputy Director, called on the public to exercise caution over play-to-earn games, noting the risks that come with them.
“We have been reminding the public that they should be aware of how these games work, the risks attendant to them, and they should for example know how they can have recourse or remedies,” she said in a virtual briefing Thursday.
“They should only place funds that they are willing to lose because of the risks,” Mesina-Romero added.
Investigators are on the trail of the hackers, watching the money as it moves around a system that critics call the Wild West of finance. They are playing catch-up: the gaming company that got scammed apparently did not even notice for six days.
But the Ronin Network disclosed to users that on March 23, hackers drained Ethereum and USDC cryptocurrencies worth $615 million, in one of largest thefts ever in the crypto world.
Ronin was developed by Vietnam-based Sky Mavis to service the cryptocurrency exchange needs of Axie Infinity players, a significant portion of which are Filipino.
“While the investigations are ongoing, at this point we are certain that this was an external breach. All evidence points to this attack being socially engineered, rather than a technical flaw,” the company said in a newsletter.
Examples of socially engineered attacks include smishing or phishing, where cyber criminals rely on manipulation and human emotion to coax victims into providing information or access to networks such as Ronin.
While this seems to imply the attack was not the result of any design flaws in the system, the Ronin Network still pledged to improve security.
“We are committed to ensuring that all of the drained funds are recovered or reimbursed, and we are continuing conversations with our stakeholders to determine the best course of action,” it said in a statement.
The hack is one of the biggest to hit the crypto world, raising huge questions about security in an industry that only recently burst into the mainstream thanks to celebrity promotions and promises of untold wealth.
Axie Infinity maker Sky Mavis said they were made aware of the security breach on Tuesday, after Ronin said hackers gained access to private keys to withdraw digital funds.
The firm said it would recover or reimburse the funds, easing the anxiety of gamers—particularly in the Philippines where hundreds of thousands play Axie Infinity.
The BSP earlier said it is monitoring transactions involving Axie Infinity’s small love potions (SLPs), which users can either cash out or use to breed new Axies or digital pets. The central bank earlier noted that SLPs are excluded from its scope under the guidelines for Virtual Asset
Service Providers, as its regulatory focus is on the exchange of fiat money for virtual assets.
Sky Mavis is not registered as an operator of payment systems, and the BSP said it is in coordination with other regulators to determine whether the firm should fall under such a category.
“Since this is a digital field, it creates a borderless area where fraudsters can really enter and perform illicit activities, so the public should practice cyber hygiene in order to protect your personal data and identity,” Romero said.