There is a certain type of legal narrative that doesn’t quite fall into any of the categories that the legal sector typically employs to characterize its work. One such instance is the Ronin Network case. It began with a cryptocurrency exploit so massive that it momentarily claimed the record of the largest theft in the history of cryptocurrencies. A state-sponsored hacking unit from North Korea was involved. It resulted in a reimbursement plan valued at hundreds of millions of dollars. Additionally, it concluded without a trial, a settlement, or any of the formalities that typically indicate the end of a significant financial dispute. In the traditional legal sense, the Ronin case is not settled. Stranger still, it was a major financial event on a global scale that was resolved out of court since, practically speaking, there was no one to suit.
The technical facts of the exploit, which occurred in March 2022, are worth reviewing because they explain why the legal fallout was so peculiar. Axie Infinity, a blockchain game created in Vietnam that momentarily rose to prominence as one of the most prosperous play-to-earn ecosystems in the brief history of cryptocurrency, was powered by the Ronin Network, a sidechain. Nine validator nodes protected the network’s link to the larger Ethereum ecosystem; withdrawals needed five signatures. The business that created Axie Infinity, Sky Mavis, ran four of those validators.
The Axie DAO ran one. The attackers, who were later identified by the U.S. Treasury as the North Korean Lazarus Group, used a sophisticated social engineering campaign to take control of all five necessary validators. They allegedly sent a phony job offer to a Sky Mavis engineer, and they forged withdrawals that drained about 173,600 ETH and $25.5 million USDC. Based on then-current pricing, the total loss came to about $625 million.
Anyone whose intuition about financial crime resolution originates from the traditional banking industry would not have been familiar with the aftermath’s trajectory. There was no pool of insurance available. There was no central body that could be held responsible. As a state-sponsored unit of the North Korean government, the attackers were practically immune to both civil and criminal proceedings. The game’s developer, Sky Mavis, had no contractual responsibility to compensate impacted consumers, but it had legal and reputational reasons to do so.
A mix of business necessity and reputational analysis led to the decision to reimburse the community. Sky Mavis and Binance, the biggest cryptocurrency exchange globally, collaborated to provide $150 million. Sky Mavis contributed a substantial amount of its own company funds. All of the money was used to fully compensate the gamers whose property had been pilfered.
Speaking with those who keep track of crypto security problems, it seems that the Ronin case established a sort of unofficial standard for how the industry would deal with state-sponsored attacks in the future. Since then, the model—developer-led reimbursement backed by exchange-level cash infusion, with law enforcement pursuing asset recovery in the background—has been repeated in a number of smaller occurrences. It yields some results that the conventional legal system would not have. Instead of years, impacted users are restored in a matter of months.
In comparison to what would have happened if the losses had not been addressed, the developer’s reputation has been partially restored. Without the kind of legal void that would have resulted from an unresolved $625 million heist, the sector continues to operate. Additionally, it yields some results that the conventional judicial system would have more consistently obtained. In many instances, accountability for the underlying security flaws that permitted the intrusion is never fully determined. There is never any discovery. The security choices and internal communications that led to the vulnerability are never made public.
It’s probable that the Ronin example led to improvements in security both within Sky Mavis and throughout the larger crypto bridge ecosystem. In order to increase the number of necessary signatures and decrease the concentration of control under any one entity, the company reorganized its validator architecture. As they observed the Ronin event, other crypto bridges carried out their own security evaluations. Some imposed stricter multi-signature specifications. Time delays for large withdrawals were added by others. The industry as a whole learned the exploit’s technological lessons in a way that might have been avoided with more private resolution procedures.
It’s also likely that the lessons learned were more limited than the occurrence called for. The industry hasn’t properly addressed the underlying risk, which is that crypto bridges that store customer funds worth hundreds of millions of dollars frequently use security architectures that wouldn’t be appropriate at a local community bank.
Since Ronin, bridge exploits have remained one of the most reliable ways to steal cryptocurrency. Every new instance has a similar pattern. A bridge turns into a single point of collapse. The vulnerability is discovered by a skilled attacker, frequently supported by the state. Mixers and tumblers absorb hundreds of millions of dollars. In response, the developer offers a security improvement along with payment. The cycle keeps going.
