Digital thieves just pulled off another major crypto heist. Motherboard has learned hackers stole 173,600 Ethereum (about $591.2 million) from the Ronin blockchain that powers Axie Infinity, a popular "play to earn" game where players can receive crypto in exchange for playing and paying some starting costs. The perpetrators reportedly exploited a backdoor in a Remote Procedure Call node from Axie creator Sky Mavis to get a signature, letting them "forge fake withdrawals" using compromised private keys.
Sky blamed the flaw on a holdover from the fall. The firm asked for help from the Axie DAO (decentralized autonomous organization) to handle free transactions and help cope with an "immense user load" in November. The move let Sky sign transactions on the DAO's behalf until December, but the access wasn't revoked after that point.
The company has responded by 'pausing' the Ronin bridge to close off avenues of attack, and has temporarily disabled the Katana decentralized exchange. It hoped to minimize near-term damage by increasing the threshold necessary for validation, but also said it was in the middle of a node migration that would leave the old system behind. Sky intends to track the stolen Ethereum with help from Chainalysis, and is contacting security teams at "major" crypto exchanges.
The theft compounds existing worries for Sky. Motherboard notes Axie Infinity has suffered from plummeting values for its NFTs and tokens in recent months, prompting reforms in a bid to keep the game afloat. An incident like could easily make things worse by not only starving the game of much-needed funds, but rattling the confidence of players.