Despite the eye-watering sum, however, experts told CoinDesk in a series of interviews that it’s unlikely the attacker will ever get to enjoy their ill-gotten gains.
On Tuesday, Axie developer Sky Mavis announced in a blog post that the exploit resulted in losses of over 173,000 ETH and 25.5 million USDC, worth more than $625 million at the time of publication.
Immediately after the attack, however, observers noted that the hacker used centralized exchanges to fund the address that launched the attack, and that they have been depositing thousands of ETH to exchanges including Huobi, FTX and Crypto.com – a move that many security experts have characterized as a likely misstep.
Because these platforms have know-your-customer (KYC) verification systems, these deposits could be used to discover the hacker’s identity and ultimately force them to return the funds.
“If I was in their shoes, I would seek to get out of this situation as quickly as possible,” blockchain analytics firm Elliptic co-founder Tom Robinson told CoinDesk. “That might include returning the funds.”
Know your exploiter
The attacker’s current method of trying to launder funds through centralized exchanges struck a range of experts across the industry as odd.
“It’s unusual to see such direct flows of funds from thefts to large exchanges,” Robinson said. “They might have purchased accounts, or they could be using an intermediary to launder on their behalf.”
In all, he characterized the attacker’s current efforts to launder their funds as “surprisingly naive.”
“That doesn’t quite match with the sophistication that it would seemingly require to compromise these validators and get their private keys,” he added.
A more common strategy from exploiters is to use a mixer like Tornado Cash, send stolen funds through non-KYC’d exchanges and generally “not rushing to cash out everything straight away, maybe waiting years even,” said Robinson.
Indeed, the broader crypto community has expressed befuddlement at the attacker’s laundering strategy.
As is often the case in the aftermath of an attack, Ethereum users have been using the network to communicate with the attacker, and in one case an individual has attempted to give the attacker tips for how to better launder their ETH.
“Hello, [your] initial deposit was from Binance, be careful and be sure to use tornado.cash you must leave the funds in for multiple days or it can be traced,” they wrote to the attacker’s address as part of an Ethereum transaction. “Afterwards you should use stealthex.io to swap to other currencies over a long period of time. Thanks, feel free to tip / retire me.”
However, even with rigorous privacy-preserving tools and a careful plan, Robinson told CoinDesk it’s extraordinarily difficult to launder a sum as large as $600 million. Indeed, despite the alleged launderers taking a number of precautions over a period of years, U.S. officials seized $3.6 billion in bitcoin related to the 2016 Bitfinex hack just last month.
Fumbling the bag
If Axie does have information on the attacker, identifying hackers has proven to be a successful tactic for developers in the past.
When reached by CoinDesk, blockchain sleuthing firm Chainalysis declined to comment, citing involvement in the ongoing investigation.
Last September, in one of the most colorful hacking incidents in blockchain history, developers of the Jay Pegs Auto Mart non-fungible token (NFT) drop successfully intimidated a hacker into returning funds by – among other tactics – ordering miso soup to their house.
Former Sushi Chief Technology Officer Joseph Delong, who was involved with the Jay Pegs negotiations, said that identifying a hacker can help “prevent an anonymous getaway” and will increase public pressure.
“People will get angry at you doxxing the attacker but those cryptoanarchists can go f**k themselves with their superiority complex,” Delong said in a Tuesday interview.
“Laundering $600 million, I don’t think it’s possible,” said Adrian Hetman, a DeFi expert at Immunefi, a bug bounty service. “The best-case scenario is instead of black-hatting your way into the protocol, you should use that knowledge to submit bugs on a bug bounty platform – you could easily become a millionaire.”
Sushi’s Delong also noted that giving the hacker options can be a useful tool, such as a “clear bounty program and partners like Immunefi to help.”
Indeed, Immunefi is among the slew of services that have emerged as DeFi and Web 3 look to secure the ecosystem from the rising tides of hacks. Immunefi alone has paid out $20 million in bug bounties, and currently has $120 million available for white hats, coding lingo for the benevolent opposite of black-hat hackers who abscond with stolen funds rather than reporting vulnerabilities.
History shows that attempting to steal and launder $625 million may have been the lowest-upside option for the attacker. Last August the hacker who managed to swipe $611 million from Poly Network ultimately returned the funds after deciding it would be impossible to cash out.
“I think either he gets caught, or he’s forced to return the funds. Or both,” said Hetman of the Ronin hacker.
In a worst-case scenario for Axie Infinity, however, the exploiter might not even care about the money at all.
“I think that – fundamentally – the ideology of the exploiter is the key thing to consider when you’re talking about GDP-sized figures acquired through hacks,” said Laurence E. Day, a blockchain developer and scholar. “If they’ve simply done it to send a message about vulnerability or ‘because-they-could, consequences be damned,’ the question ‘was it worth it’ depends on whether they consider that sufficient self-validation as to their skill.”
Day is intimately familiar with hackers looking to send a message. Last October, a protocol Day contributed to, Indexed Finance, was exploited by a Canadian teenage math prodigy, Andean “Andy” Medjedovic.
Despite the team doxing Medjedovic and taking the case to court, the Canadian graduate student has thus far refused to return the funds. In a series of tweets from an account claiming to belong to Medjedovic, he framed the confrontation as a “duel” and a “fight to the death.”
While Medjedovic is currently a fugitive from the law, the incident has earned him significant notoriety, which may have been his primary motivation.
However, Day noted that if the Ronin hacker is interested in fame rather than money, even that end-goal currently appears to be a losing game: They may never be able to claim responsibility without getting caught.
“We’ve seen time and again that ego is the downfall of the people that pull off exploits, and I imagine it’d be quite hard to never be able to own up to it in the same way that negotiating a white-hat bounty and becoming a god in the eyes of the community would allow you to,” said Day.
More from CoinDesk on Axie Infinity and Ronin Network
Gaming-focused Ronin on Tuesday disclosed a loss of more than $625 million in USDC and ether.
Concerns around emissions of an in-game token caused falling user numbers and a drastic plunge in SLP prices.
The token was trading around $3.75 after launching.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.