Ronin Network — Axie Infinity bridge theft

On 29 March 2022 Sky Mavis disclosed that an attacker had drained 173,600 ETH and 25.5 million USDC — approximately $625 million — from the Ronin bridge, a sidechain that connected the Axie Infinity play-to-earn game to the Ethereum mainnet. The drain had occurred six days earlier, on 23 March, in two transactions. It went undetected until a player attempted to withdraw 5,000 ETH and noticed the bridge balance was missing the funds. By the time Sky Mavis confirmed the theft, the attacker had already begun moving the proceeds through Tornado Cash and a chain of intermediary wallets.

Ronin operated a proof-of-authority sidechain with nine validators. Bridge withdrawals required signatures from at least five of those validators. Sky Mavis controlled four of the nine validator keys, and a fifth — held by the Axie DAO — had been delegated to Sky Mavis several months earlier during a temporary scaling crisis and had never been revoked when the load subsided. The attacker compromised a Sky Mavis employee through a fake-job-offer LinkedIn approach that delivered a malicious PDF, used that foothold to obtain the four Sky Mavis validator keys, and then used the lingering Axie DAO delegation to reach the five-of-nine threshold. The bridge cleared the withdrawal as a legitimate consensus-approved transfer because, by the rules of the contract, it was.

The US Treasury’s Office of Foreign Assets Control attributed the theft to the Lazarus Group on 14 April 2022, sanctioning the Ethereum address that received the stolen funds and adding it to the Specially Designated Nationals list. The attribution made Lazarus the dominant threat-actor name attached to large crypto-bridge thefts, a pattern that has continued through Atomic Wallet (June 2023, $100M), Stake.com (September 2023, $41M), DMM Bitcoin (May 2024, $305M), and Bybit (February 2025, $1.46B). The proceeds of these operations, US, UK and Japanese authorities have repeatedly stated, fund DPRK weapons programmes.

Sky Mavis raised $150 million in a recovery round led by Binance and reimbursed affected users. The Ronin chain re-opened with the validator set expanded to twenty-one and the Axie DAO delegation revoked.

Defender takeaway: bridges are concentrated honey pots — multi-billion-dollar token reserves with simple multi-signature authorisation logic — and Lazarus has industrialised the playbook against them. Every component of the Ronin compromise is a recognisable enterprise security failure: spear-phishing through an HR channel, lateral movement after initial access, key custody in an environment where the same admin could reach all four validator nodes, and a stale temporary delegation that no one had decommissioned. The crypto-specific lesson is that contractual logic is enforced ruthlessly: if your contract permits a five-of-nine signature to withdraw funds and an attacker assembles five signatures, the contract will pay them. Multi-signature custody only works if the signers are operationally independent. Sky Mavis’s signers were not. They were one workstation away from one another. The systemic lesson is that delegations and temporary access grants need lifecycle management as rigorous as any other privileged credential — the Axie DAO delegation was, by 2022, the operational equivalent of a service account with administrative rights that nobody owned.