Skip to content
CBCyber Breaches
Search
private-keypartially-recovered

Ronin Bridge heist

Lazarus operators compromised five of nine Ronin validator nodes and forged withdrawal signatures, draining 173,600 ETH and 25.5 million USDC (~$625M) — the largest cryptocurrency theft on record at the time.

Part of campaignlazarus crypto theft
Victim
Sky Mavis / Axie Infinity / Ronin Network
Loss
$625.0M
SectorFinanceTechnology
CountryVietnamUnited States
Threat actorLazarus GroupAPT38DPRK RGB
Named attackersPark Jin Hyok

On 23 March 2022, Lazarus Group operators executed what was, at the time, the largest single cryptocurrency theft on record: ~$625 million in ETH and USDC drained from the Ronin Bridge, the Ethereum-side gateway for Axie Infinity — at the time the world's largest blockchain-game economy. The heist exploited a validator-quorum failure that combined operational debt and key-custody weakness in a way that defined the post-incident understanding of bridge security.

What happened

Ronin is a sidechain operated by Sky Mavis to support Axie Infinity, a "play-to-earn" NFT-based game that at its 2021 peak had over a million daily active users. To move ETH and USDC between Ethereum and Ronin, players used the Ronin Bridge, a custodial bridge secured by a 5-of-9 multisignature validator quorum. Four validators were operated by Sky Mavis directly; one was operated by the Axie DAO; four by external partners.

In November 2021, a Sky Mavis senior engineer was targeted by a Lazarus social-engineering operation following the now-canonical pattern:

  • Contact via LinkedIn posing as a recruiter at a fake company offering a high-paying remote role.
  • Multiple interview rounds to build credibility.
  • A malicious PDF "job offer" that dropped a backdoor.

Over the following months, Lazarus operators:

  • Established persistence on Sky Mavis infrastructure.
  • Identified the validator signing key custody architecture.
  • Compromised the four Sky Mavis validator signing keys.

The catastrophic operational debt that produced the heist was discovered during the forensic post-mortem: in December 2021, during a surge of Axie Infinity player onboarding, Sky Mavis had asked the Axie DAO validator to delegate its signing authority to Sky Mavis-controlled validators temporarily to handle the transaction load. The delegation was never revoked. It remained in place months later — giving Sky Mavis-controlled keys the ability to sign for 5 of 9 validators, exactly the quorum threshold.

On 23 March 2022, the operators used the compromised keys to sign two fraudulent withdrawal transactions:

  • 173,600 ETH (~$595M at time)
  • 25.5 million USDC (~$25M)

Both transactions executed successfully against the bridge contract. The funds moved to attacker-controlled addresses.

Detection delay

The heist remained undetected for six days. Ronin's monitoring did not flag the unusually-large outbound transactions because they were validly signed by the configured multisig. The breach was discovered on 29 March when a normal Axie Infinity user attempted to withdraw 5,000 ETH and the bridge contract reported insufficient liquidity.

Impact

  • $625M stolen — at the time, the largest single cryptocurrency theft.
  • Sky Mavis pre-existing treasury + a $150M emergency raise led by Binance funded full restoration of player balances.
  • Bridge offline for over 90 days during remediation.
  • Tornado Cash subsequently sanctioned by OFAC (8 August 2022), with the sanction explicitly citing Ronin laundering activity through the mixer.

Attribution

OFAC formally attributed the operation to Lazarus Group on 14 April 2022, sanctioning the attacker-controlled Ethereum addresses. The attribution is consistent with the Lazarus crypto-theft signature: LinkedIn-based recruiter spearphishing, custom backdoors against engineer workstations, patient credential staging, multi-key signing-authority compromise, mixer-and-bridge laundering pipeline.

The operation is part of the continuous Lazarus crypto-theft programme documented in the Park Jin Hyok 2018 indictment and the subsequent expansion of named DPRK cyber operators. Chainalysis, Elliptic, and the U.N. Panel of Experts on DPRK sanctions all attribute the heist to North Korean state actors.

Why it matters

Ronin is the canonical case for bridge-quorum failure and the highest-profile demonstration of Lazarus's targeting of cryptocurrency engineering staff. It established:

  • That operational debt around validator delegation is a first-order security risk. The five-month-stale delegation that ultimately gave Lazarus a quorum was a routine operational shortcut that no security review caught.
  • That bridge multisig schemes with concentrated single-organisation custody of a quorum's worth of keys are functionally single points of failure regardless of the multisig threshold.
  • That LinkedIn-based recruiter spearphishing is now the most operationally effective way to compromise cryptocurrency engineering staff. The Sky Mavis engineer, the Atomic Wallet engineer (2023), the WazirX engineer (2024), and dozens of others have been compromised via variants of the same lure.
  • That Tornado Cash sanctions are a viable U.S. policy lever for disrupting crypto laundering, even when the underlying protocol is decentralised. The OFAC designation of a smart contract is itself a precedent that continues to shape both crypto policy and digital-rights litigation.

Financial impact

Reported costs in USD

Total reported loss
625.0M
USD · $625,000,000
  • Business loss$625.0M
  • Remediation$50.0M

Timeline

  1. Sky Mavis senior engineer is contacted via LinkedIn by what appears to be a recruiter at a fake company. After multiple interviews, the engineer is sent a PDF 'job offer' with a malicious payload.

  2. Lazarus operators establish persistence on Sky Mavis infrastructure, identify the Ronin validator key custody architecture, and compromise four of five Sky Mavis-controlled validator signing keys.

  3. Sky Mavis previously delegated signing authority to Axie DAO during a player onboarding surge. The delegation was never revoked, giving Sky Mavis-controlled keys signing power for both Sky Mavis and Axie DAO validators (5 of 9 total).

  4. Lazarus operators use the compromised keys to sign two fraudulent withdrawal transactions: 173,600 ETH and 25.5M USDC, totalling ~$625M, to attacker-controlled addresses.

  5. An Axie Infinity user attempts to withdraw 5,000 ETH and discovers the bridge is drained. Sky Mavis publicly discloses the breach.

  6. U.S. Treasury OFAC formally attributes the heist to Lazarus Group, sanctioning addresses tied to the operation.

  7. Lazarus laundering moves the funds through Tornado Cash. OFAC subsequently sanctions Tornado Cash itself (Aug 8, 2022) citing $455M of Ronin proceeds laundered through it.

  8. Sky Mavis relaunches the Ronin bridge with a 9-of-9 multisig and additional withdrawal-limit safeguards. Player funds restored from Sky Mavis treasury reserves plus a $150M raise led by Binance.

Sources

  1. roninblockchain.substack.comhttps://roninblockchain.substack.com/p/back-to-building-ronin-network-community
  2. home.treasury.govhttps://home.treasury.gov/news/press-releases/jy0731
  3. chainalysis.comhttps://www.chainalysis.com/blog/lazarus-group-axie-infinity-ronin-bridge-dprk-hack-april-2022/

Related incidents

private-keystolen

Coincheck NEM heist

Tokyo-based cryptocurrency exchange Coincheck lost 523 million NEM tokens (~$530M at the time) from a hot wallet that had no multi-signature protection. The largest single crypto-exchange theft at the time — later attributed to North Korea's Lazarus Group.

Victim
Coincheck Inc.
Loss
$530.0M