What the $600M cryptocurrency heist means for future of blockchain security

Photo by Matthew Modoono/Northeastern University

Last month, a cryptocurrency blockchain platform built for a popular “play-to-earn” online video game was hacked. The hackers stole more than $600 million in digital currency from the blockchain, called Ronin (it’s technically a “sidechain,” meaning a blockchain that acts as a bridge to other blockchains), in what has been described as the second-largest cryptocurrency heist to date.

As more industries make use of so-called blockchains, which are really just digital ledgers for storing data, the high-profile theft has raised new concerns about just how effective existing blockchain safeguards and protocols are at protecting the digital wallets of millions of traders.

Right now, it’s the wild west,” Alan Mislove, professor of computer science at Northeastern, says of the blockchain-based crypto trade.

Alan Mislove, professor of computer science at Northeastern. Photo by Matthew Modoono/Northeastern University

Not all blockchains are used for the purpose of trading cryptocurrencies. But because they effectively decentralize trading—or remove the intermediary—blockchain technology has been pitched as a way to move beyond traditional banking toward a more democratized system founded on the principles of inclusion, transparency, and security. Whereas traditional ledgers in banks require special permission or access to be audited, blockchains can be permissionless and wholly transparent (or public). Transactions are verified by participants in the blockchain, instead of a central authority, who are in turn rewarded in the currency.

How secure is this process? It depends. Blockchain companies often rely on a public-private key pair encryption, Mislove says. Blockchain users have a public key and private key that they use to perform certain tasks. Only the owner knows what the private key is, but everyone else knows the public key. 

“The challenge becomes keeping those private keys private,” Mislove says. “As they are obtained by an attacker, there’s nothing stopping a hacker from stealing those funds.” 

Some blockchain users store their private key on a physical device to keep it safe. Others use cryptocurrency exchanges, such as Coinbase, that secure the private keys on users’ behalf.

But Coinbase, the industry’s largest exchange, has seen an uptick in hacking of accounts. Once criminals gain access, they can drain a users’ account of its cryptocurrency in a matter of minutes, according to CNBC.

Ravi Sarathy, professor of international business and strategy at Northeastern. Photo by Alyssa Stone/Northeastern University

“Typically how it happens is somebody would break into a crypto exchange,” Mislove says. “But another common way is that the hacker would attempt to phish users to trick them into giving them their private keys.”

In the case of the Ronin blockchain theft, hackers were able to get access to so-called “validator nodes,” which are computers tasked with authorizing blockchain transactions. By hacking these computers, the attacker was able to approve fake withdrawals from accounts valued at more than $600 million. 

Mislove says he doesn’t know the details of the Ronin hack, but speculates it could have happened by means of traditional hacking. 

Oftentimes the way they break into those servers is through phishing, malware, etc.,” he says. “In other words, social engineering.”

But other cryptocurrencies, such as Bitcoin (also the industry’s first), are proving to be unhackable, says Ravi Sarathy, professor of international business and strategy at Northeastern.

“Bitcoin, one of the very first blockchains to enter public usage, has never been hacked,” Sarathy says. 

Sarathy says he thinks the Ronin hack, while an unfortunate event, can help companies fortify their servers and rethink how transactions get approved. 

“I think it just means that people are going to have to be more careful about how they set up validation, particularly on permission blockchains,” Sarathy says. 

Sarathy says he’s a “blockchain optimist.”

“I think blockchains’ value is broader than cryptocurrency when you think about things like decentralized voting and financial inclusion, for example,” Sarathy says. “The applications are virtually endless.”

For media inquiries, please contact media@northeastern.edu.