So You’ve Stolen $600M. Now What?

After one of the largest exploits in DeFi history, the hacker of Axie’s Ronin network has limited options.

AccessTimeIconMar 30, 2022 at 1:23 p.m. UTC
Updated May 11, 2023 at 6:08 p.m. UTC

The crypto community was rocked Tuesday by what is solidly among the largest hacks in Web 3 history: a $625 million exploit that drained funds from Ronin, the blockchain that is home to the wildly popular Axie Infinity play-to-earn game.

Despite the eye-watering sum, however, experts told CoinDesk in a series of interviews that it’s unlikely the attacker will ever get to enjoy their ill-gotten gains.

On Tuesday, Axie developer Sky Mavis announced in a blog post that the exploit resulted in losses of over 173,000 ETH and 25.5 million USDC, worth more than $625 million at the time of publication.

Immediately after the attack, however, observers noted that the hacker used centralized exchanges to fund the address that launched the attack, and that they have been depositing thousands of ETH to exchanges including Huobi, FTX and – a move that many security experts have characterized as a likely misstep.

Because these platforms have know-your-customer (KYC) verification systems, these deposits could be used to discover the hacker’s identity and ultimately force them to return the funds.

“If I was in their shoes, I would seek to get out of this situation as quickly as possible,” blockchain analytics firm Elliptic co-founder Tom Robinson told CoinDesk. “That might include returning the funds.”

Know your exploiter

The attacker’s current method of trying to launder funds through centralized exchanges struck a range of experts across the industry as odd.

“It’s unusual to see such direct flows of funds from thefts to large exchanges,” Robinson said. “They might have purchased accounts, or they could be using an intermediary to launder on their behalf.”

In an exclusive from October, CoinDesk found that there is a flourishing black market for KYC’d accounts at centralized exchanges. However, Robinson noted that the exchanges being used, including FTX and, have strong reputations for regulatory compliance and KYC.

In all, he characterized the attacker’s current efforts to launder their funds as “surprisingly naive.”

“That doesn’t quite match with the sophistication that it would seemingly require to compromise these validators and get their private keys,” he added.

A more common strategy from exploiters is to use a mixer like Tornado Cash, send stolen funds through non-KYC’d exchanges and generally “not rushing to cash out everything straight away, maybe waiting years even,” said Robinson.

Indeed, the broader crypto community has expressed befuddlement at the attacker’s laundering strategy.

As is often the case in the aftermath of an attack, Ethereum users have been using the network to communicate with the attacker, and in one case an individual has attempted to give the attacker tips for how to better launder their ETH.

“Hello, [your] initial deposit was from Binance, be careful and be sure to use you must leave the funds in for multiple days or it can be traced,” they wrote to the attacker’s address as part of an Ethereum transaction. “Afterwards you should use to swap to other currencies over a long period of time. Thanks, feel free to tip / retire me.”

However, even with rigorous privacy-preserving tools and a careful plan, Robinson told CoinDesk it’s extraordinarily difficult to launder a sum as large as $600 million. Indeed, despite the alleged launderers taking a number of precautions over a period of years, U.S. officials seized $3.6 billion in bitcoin related to the 2016 Bitfinex hack just last month.

Fumbling the bag

If Axie does have information on the attacker, identifying hackers has proven to be a successful tactic for developers in the past.

When reached by CoinDesk, blockchain sleuthing firm Chainalysis declined to comment, citing involvement in the ongoing investigation.

You’re talking about GDP-sized figures acquired through hacks.

Last September, in one of the most colorful hacking incidents in blockchain history, developers of the Jay Pegs Auto Mart non-fungible token (NFT) drop successfully intimidated a hacker into returning funds by – among other tactics – ordering miso soup to their house.

Former Sushi Chief Technology Officer Joseph Delong, who was involved with the Jay Pegs negotiations, said that identifying a hacker can help “prevent an anonymous getaway” and will increase public pressure.

“People will get angry at you doxxing the attacker but those cryptoanarchists can go f**k themselves with their superiority complex,” Delong said in a Tuesday interview.

“Laundering $600 million, I don’t think it’s possible,” said Adrian Hetman, a DeFi expert at Immunefi, a bug bounty service. “The best-case scenario is instead of black-hatting your way into the protocol, you should use that knowledge to submit bugs on a bug bounty platform – you could easily become a millionaire.”

Sushi’s Delong also noted that giving the hacker options can be a useful tool, such as a “clear bounty program and partners like Immunefi to help.”

Indeed, Immunefi is among the slew of services that have emerged as DeFi and Web 3 look to secure the ecosystem from the rising tides of hacks. Immunefi alone has paid out $20 million in bug bounties, and currently has $120 million available for white hats, coding lingo for the benevolent opposite of black-hat hackers who abscond with stolen funds rather than reporting vulnerabilities.

History shows that attempting to steal and launder $625 million may have been the lowest-upside option for the attacker. Last August the hacker who managed to swipe $611 million from Poly Network ultimately returned the funds after deciding it would be impossible to cash out.

“I think either he gets caught, or he’s forced to return the funds. Or both,” said Hetman of the Ronin hacker.

Ideological motivations

In a worst-case scenario for Axie Infinity, however, the exploiter might not even care about the money at all.

“I think that – fundamentally – the ideology of the exploiter is the key thing to consider when you’re talking about GDP-sized figures acquired through hacks,” said Laurence E. Day, a blockchain developer and scholar. “If they’ve simply done it to send a message about vulnerability or ‘because-they-could, consequences be damned,’ the question ‘was it worth it’ depends on whether they consider that sufficient self-validation as to their skill.”

Day is intimately familiar with hackers looking to send a message. Last October, a protocol Day contributed to, Indexed Finance, was exploited by a Canadian teenage math prodigy, Andean “Andy” Medjedovic.

Despite the team doxing Medjedovic and taking the case to court, the Canadian graduate student has thus far refused to return the funds. In a series of tweets from an account claiming to belong to Medjedovic, he framed the confrontation as a “duel” and a “fight to the death.”

While Medjedovic is currently a fugitive from the law, the incident has earned him significant notoriety, which may have been his primary motivation.

However, Day noted that if the Ronin hacker is interested in fame rather than money, even that end-goal currently appears to be a losing game: They may never be able to claim responsibility without getting caught.

“We’ve seen time and again that ego is the downfall of the people that pull off exploits, and I imagine it’d be quite hard to never be able to own up to it in the same way that negotiating a white-hat bounty and becoming a god in the eyes of the community would allow you to,” said Day.

More from CoinDesk on Axie Infinity and Ronin Network

Gaming-focused Ronin on Tuesday disclosed a loss of more than $625 million in USDC and ether.

Concerns around emissions of an in-game token caused falling user numbers and a drastic plunge in SLP prices.

The token was trading around $3.75 after launching.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Andrew Thurman

Andrew Thurman was a tech reporter at CoinDesk with a focus on DeFi.

Read more about