My Ronin Wallet Was Hacked
March 8, 2024 • 4 min read
Warning: I’m not a cybersecurity expert, security researcher, or any kind of blockchain pro. This is just my personal experience and what I understand about the whole mess. Don’t hold me responsible if you follow my example and something goes wrong.
I’ve been using my Ronin Wallet since 2021, primarily through a Chrome extension on my Windows machine for staking and other stuff. I have two seed phrases stored in separate text files on my laptop. I know, I know – not the best idea. The first seed phrase holds 77 axies, 34 AXS and a few RON, while the second one holds only 4 axies. I’ve been staking my AXS since the feature was released, initially with just 6 AXS, and have been restaking the rewards ever since. Never had any problems, and I’ve always been extremely careful with my seed phrases – never shared, never clicked suspicious links, all that.
Fast forward to March 3, 2024. I logged into the Axie website using my Ronin Wallet, just a routine check on my staked AXS and to re-stake the rewards. After logging in, I got to my dashboard and clicked the “Staking” menu to see where I was at. But right away, something was off – the claimable rewards and total staked AXS were both at 0!
My first thought was that I’d somehow logged into the wrong account, 'cause I have two accounts on my Ronin Wallet (the second one’s the default). The first account has been empty forever since I moved everything to the second one a while back (can’t even remember why!). So, I logged out, switched to the first account, and logged back into the Axie website. Same deal – 0 AXS. Okay, now I’m starting to get a little nervous. I switched back to my main account, double-checked, but…nothing. The AXS is still gone.
This is where it gets weird. I figured maybe the website was glitching, so I decided to go straight to my Ronin Wallet and hit the Activity tab. And that’s when I got a major shock – everything, and I mean literally everything – Axies, staked AXS, even the bit of RON I keep for fees – had been sent to some random Ronin wallet address I’ve never even seen before. That’s when it hit me - I got hacked. Big time.
I wasn’t one of those early Axie investors, so I actually bought my Axies and AXS at a high price, if not their peak prices. Plus, breeding wasn’t cheap either – SLP and AXS were super expensive back then. Just thinking about it makes me want to scream into the abyss. Still don’t get how it happened. I’m pretty sure I didn’t get hacked through my phone or computer. The Ronin Wallet app is sitting on my phone forever, so as the Chrome extension. If my devices were compromised, specially my laptop, my other seed phrase that holds my other Axies would have been hacked as well. I’m no cybersecurity expert, but I know enough about phishing and social engineering – I definitely didn’t fall for any of that. Whatever happened, this wasn’t some rookie mistake.
Nobody’s completely safe in the crypto space. For example, Jeff “Jihoz” Zirlin, one of Axie Infinity co-founders, had his Ronin Wallet hacked. This resulted in a substantial loss from two of his compromised addresses. Stolen assets included:
- 3.2M
RON - 282.32
WETH - 160K
PIXEL - 2.76M
SLP - 2,042
USDC - 164
AXS
All stolen assets were exchanged for 3,249 ETH (approximately $9.6 million).
Here’s a tweet from Jihoz about the incident:
This has been a tough morning for me.
— Jihoz.ron 🦌 (@Jihoz_Axie) February 23, 2024
Two of my addresses have been compromised.
The attack is limited to my personal accounts, and has nothing to do with validation or operations of the Ronin chain.
Additionally, the leaked keys have nothing to do with Sky Mavis operations.…
Ronin Wallet
Ronin Wallet uses a secret recovery phrase (seed phrase), consisting of 12 English keywords, to secure your assets. It’s crucial to keep this seed phrase completely safe, as losing it means losing access to your assets permanently.
Brute-forcing a 12-word seed phrase, even with supercomputers, would take an incredible amount of time. To illustrate just how difficult this is, redditor u/matejcik did the math:
There are estimated 500 million cryptocurrency users currently. Assume that everyone has a 12-word seed.
That means that if you brute-force through all 12-word seeds, you have a chance to find a non-empty wallet every 340 282 366 920 938 463 463 374 607 431 tries (that is 3.4 * 1029).
Just having a secure password in your Ronin Wallet isn’t enough to keep your assets safe. Once someone gets their hands on your seed phrase, they can just get into your wallet and take everything. The only way to really keep your Ronin Wallet secure is to use hardware wallets like Trezor or Ledger.
It’s worth keeping in mind that “security” is just an illusion. There are only levels of security. So, it’s not a matter of “if” but “when” you’ll get hacked. The best we can do is be prepared. I’ve learned my lesson the hard way, and I hope you don’t have to go through the same thing.