The largest DeFi theft in history: Ronin Network attack (March 2022)
Attack process and loss amount
On March 23, 2022, hackers stole approximately $625 million (173,600 ETH and 25.5 million USDC) from Axie Infinity’s cross-chain bridge by controlling the private keys of five validators on the Ronin sidechain and forging withdrawal requests. The attack was not discovered until March 29, resulting in the suspension of the cross-chain bridge service between the Ronin chain and Ethereum.
Attack Methods and Vulnerability Roots
Fake recruitment infiltration: North Korean hacker group Lazarus Group posted fake positions on LinkedIn to trick Axie Infinity engineers into downloading PDF files containing Trojans and stealing validator private keys.
Management oversight: In November 2021, Ronin temporarily expanded the number of verification nodes from 5 to 9 in response to a surge in users, but failed to revoke redundant permissions in a timely manner afterwards, resulting in the attacker only having to control 4 nodes to complete the attack.
Fund Flow and Tracing Progress
About $17 million of stolen ETH was laundered through exchanges such as Huobi and FTX, and the remaining funds were traced to addresses controlled by the Lazarus Group. As of 2024, more than $500 million has not been recovered.
Second security crisis: Co-founder Jihoz’s personal account was stolen (February 2024)
Event Overview
On February 23, 2024, two personal crypto wallets of Jihoz, the co-founder of Axie Infinity, were stolen due to private key leakage, resulting in a loss of more than $10 million. The attacker obtained his mnemonic through a phishing attack, but the Ronin chain itself was not affected.
Industry chain reaction
After the incident was exposed, the price of AXS tokens fell by 12% in a single day, and the market's doubts about the "security of executive accounts" intensified. This incident, together with the theft of $26 million from the FixedFloat exchange and the $347 million attack on PlayDapp in the same period, triggered the "Web3 security crisis" in February 2024.
Impact of the incident and lessons for the industry
Market trust collapses
Axie Infinity's daily active users plummeted from 2.8 million in 2021 to less than 500,000 in 2024. The market value of its governance token AXS has shrunk by more than 90%, and the overall valuation of the blockchain gaming track has declined.
Safety standards upgrade
Cross-chain bridge reconstruction: Ronin will introduce multi-party computing (MPC) technology in 2023, changing single-point private key control to distributed verification.
Regulatory intervention: The U.S. Treasury Department has included Lazarus Group on the sanctions list, and the EU requires DeFi projects to purchase compulsory insurance against hacker losses.
Industry warning
The incident exposed three core issues:
Developers over-pursue user experience at the expense of security (e.g. temporary permissions are not revoked);
Social engineering attacks become a mainstream threat;
The risk of capital concentration in centralized cross-chain bridges is difficult to avoid.
