Anatomy of an Axie Hack
Between the 18th and 19th of August, a number of Axie players logged into their accounts to find that all their axies had vanished. In their Activity History, they found records that indicated that their axies had been moved out of their account (“gifted”) and sent to other users. Following the blockchain trail revealed that the axies were transferred and then sold on the marketplace. The ETH earnings were then immediately withdrawn via the Ronin bridge. They’d all been hacked, and no one seemed to have any idea how it happened.
Multiple players were reportedly hit by this hack, and I spent the afternoon yesterday talking to three of them: Leo, Mel, and Matt. In order to protect their identities, I won’t share their full names, or any of the screenshots they provided me with. Suffice to say that I spent some time on the Ronin Explorer tracing what happened to their missing axies, and the blockchain data appears to support their stories. Within about 12 hours of each other, all three players logged into the game only to discover that their teams were no longer syncing, because they were no longer in their Ronin wallets. Over 200,000 pesos in axies were lost, between the three victims that I managed to speak with.
How did this happen? I initially wanted to write this newsletter with an explanation of the hack, and recommend some steps to avoid it. But I spent hours talking to each of these players and sadly could not find any common pattern. All of them understood the danger of sharing the seed phrases. Two of them only wrote their seed phrases on pieces of paper, and never saved them digitally. One of them even showed me a fake moderator in the official Axie Discord server who was trying to convince him to type his phrase into a malicious website. They did not appear to be reckless or foolish with their personal security.
So now I’m writing this article without an actual solution, in the hopes that the community will have ideas about how this happened. None of the victims joined any contests or clicked on suspicious emails or any of the obvious ways this could have happened. I asked them to take screenshots of the version number of their Ronin wallet Chrome extension, to ensure that they hadn’t installed the fake one floating around last month. Since I couldn’t actually check their computers directly I was relying on screenshots and whatever they were telling me through chat.
Figuring out how the hack happened will help us figure out how to prevent it. Sky Mavis implemented hardware-device security for the Ronin wallet sometime ago, but unfortunately, the Optical Media Board here in the Philippines has made ordering Trezors next to impossible. (My Trezor is still making its way to La Union from my forwarder in the UK, and I’ll update everyone if I actually receive it next week.) In the interim, I think it’d be great if SkyMavis could implement 2FA support via Google Authenticator or Authy. It’s not as strong as a hardware device, but given that hardly any Filipinos can get one right now, it’s better than nothing. And given how expensive Trezors are, it seems like a far more economical solution.
If you have thoughts about how this hack could have happened, please leave a comment below. I know that some people have accused the victims of just pretending they were hacked, either because they were seeking attention or because they were part of a group selling Trezors. I don’t believe this is the case, based on my separate conversations with them, but it’s only fair to consider every possible angle to this story. Again, if anyone has more information about this and would like to share their thoughts, please comment!
In case you didn’t see my FB post yesterday asking for advice about how to track your opponent’s energy in Axie Infinity, we got some really fun suggestions: everything from sungka shells (!!!) to handwritten notes to floating counter apps. My current version is basically what I could find here at home: old wine corks and stones from the beach.
Last night, our friends at Yield Guild Games announced a $4.5M investment from legendary investor Andreessen Horowitz (A16Z). Some of A16Z’s previous investments include Facebook, Coinbase, Github, AirBNB, and a handful of other tiny companies. It's the first time this VC has ever made a bet on a Filipino-led startup and is an important milestone for the local industry. If you think Play-to-Earn is hot right now, you ain't seen nothing yet.
See you all on Monday, cryptofam, and stay safe out there!