Investigators are tracking down the hacker who lost more than $ 600 million in cryptocurrencies last week, watching the money as it moved around a system that critics call the financial Wild West.
But they played catch -up: the deceived gambling company didn’t seem to notice it for six days.
Hacking is one of the biggest to hit the crypto world, raising big questions about security in an industry that has recently penetrated the mainstream thanks to celebrity promotions and the promise of untapped wealth.
The sector has been plagued by fraud and hacking.
This week’s theft from maker of Axie Infinity, a game where players can acquire crypto through games or trade their avatars, came just weeks after thieves managed to raise about $ 320 million in a similar attack.
“We’re seeing more hacking because there’s more money in the blockchain,” said Roman Bieda of Coinfirm, a crypto security company, referring to the technology that supports cryptocurrencies.
The industry should have taken lessons from previous attacks but security is still being sacrificed for profit, he added, labeling Axie’s failure to realize the hacking as a “huge shortcoming”.
The Axie Infinity striker exploited weaknesses in the set-up provided by the Vietnam-based firm behind the game, Sky Mavis.
The company had to solve a problem: the ethereum blockchain, where transactions in ether cryptocurrencies are recorded, was relatively slow and expensive to use.
To allow Axie Infinity players to buy and sell quickly, the firm created in -game currency and side chains with bridges to key ethereum blocks.
The result is faster and cheaper – but ultimately less secure.
The hacker was able to take over the side chain and empty his coffers apparently without anyone noticing, something experts say is impossible on the ethereum blockchain.
The firm said it will recover or repay the funds, alleviating player concerns – especially in the Philippines where hundreds of thousands play Axie Infinity.
“Some Filipinos are going crazy because of what happened,” Dominic Lumabi, a player from Manila, told AFP.
Some feared the game would close and money would be lost, he said, adding that he was relieved Sky Mavis was being transparent.
But the firm faces a difficult challenge to recover the money.
“The battle continues”
Security firms monitor stolen money as it moves through various wallets, as accounts are called in the crypto world.
Blockchain Chainalysis data platform helped Sky Mavis keep track of the money, and Elliptic said it is investigating and notifying its customers.
Bieda of Coinfirm said that sooner or later the perpetrators will be traced.
“The bigger the number, the harder it is to hide,” he told AFP.
But even if investigators can see where the money is, there are tricks that thieves can use.
They can use software that mixes stolen money with legitimate flows, use exchanges with loose rules or transfer their funds to jurisdictions with no rules at all like North Korea or Russia.
Any such move makes it easier to transfer cryptocurrencies into cash that can be spent on a daily basis.
It was an “ongoing battle” between thieves and those trying to stop them, Bieda said.
“The use of (cryptocurrencies) is growing, more protocols and more solutions are being created, but the pursuit of cheap transactions and profits means the industry sometimes … forgets about security.”