Skip to main content

This site is for educational purposes only. Nothing here constitutes financial advice.

Back to all case studies
Bridge Exploit
2022-03-23173,600 ETH + 25.5M USDC (~$625M at the time)

Ronin Bridge Hack

March 2022 — North Korean state-sponsored attackers drain $625M from the Axie Infinity sidechain bridge. Largest crypto theft to date.

Ronin was a Layer-2 sidechain built by Sky Mavis to support Axie Infinity, the dominant play-to-earn game of the 2021–2022 NFT cycle. The Ronin bridge connected the sidechain to Ethereum, allowing users to move ETH and other assets between Axie's game economy and the broader Ethereum ecosystem.

On March 23, 2022, North Korean state-sponsored hackers (identified as the Lazarus Group by US authorities) compromised five of the nine validator keys controlling the Ronin bridge and drained approximately 173,600 ETH and 25.5 million USDC — roughly $625 million at the time. The attack went undetected for six days; Sky Mavis discovered it only after a customer reported being unable to withdraw.

The Ronin hack remains the largest single crypto theft event in history (as of mid-2026) and is the canonical case study for bridge-architecture vulnerabilities involving small validator sets controlled by single organisations. The US Department of the Treasury attributed the attack to North Korea's Lazarus Group, with proceeds believed to have funded the North Korean weapons programme.

Timeline

  1. 2021-04
    Sky Mavis launches Ronin sidechain to support Axie Infinity's growth.
  2. 2021-11
    Axie Infinity peaks at ~2.7M daily active users; Ronin bridge holds hundreds of millions in assets.
  3. 2021-11
    Sky Mavis grants emergency signing access to a backup validator (Axie DAO) to help process backlog. Access intended to be temporary.
  4. 2022-03-23
    Attackers exploit four Sky Mavis validator keys + the Axie DAO emergency key that was never revoked. Two transactions drain 173,600 ETH and 25.5M USDC from the bridge.
  5. 2022-03-29
    Sky Mavis discovers the attack after a customer support ticket reports a failed withdrawal — six days after the theft.
  6. 2022-03-29
    Sky Mavis publicly discloses the hack and halts the bridge.
  7. 2022-04-06
    FBI publicly attributes attack to Lazarus Group.
  8. 2022-04-13
    OFAC sanctions wallet addresses linked to Lazarus, including some used in the Ronin laundering.
  9. 2022-04-14
    Sky Mavis raises $150M in emergency funding led by Binance to reimburse user losses.
  10. 2022-06-28
    Ronin bridge restarts after security overhaul; validator set increased to 11 with stricter operational separation.

Mechanism

The validator set design. The Ronin bridge used a 9-validator multi-signature scheme where 5 of 9 signatures were required to authorise bridge transactions. Five of the nine validators were operated by Sky Mavis (the game developer); four were operated by other parties including the Axie DAO. This made the bridge effectively dependent on Sky Mavis's operational security — even though the 5/9 scheme appeared to provide multi-party governance.

The compromised keys. The attackers compromised four Sky Mavis validator keys through social engineering and infrastructure intrusion (the specifics have been partially disclosed; some details remain confidential due to ongoing law-enforcement work). For the fifth signature, they exploited an access grant that had been made in November 2021 to the Axie DAO. Sky Mavis had granted the Axie DAO temporary signing access to help process a transaction backlog during Axie Infinity's user-count peak. The access was intended to be temporary but was never revoked. By March 2022, the Axie DAO's validator was no longer actively validating, but its key still authorised bridge transactions.

The drain. With five validator keys controlled, the attackers signed two bridge withdrawal transactions: one for 173,600 ETH and one for 25.5 million USDC. These transactions were valid by every check the bridge could perform — they had the required 5/9 signatures. The bridge dutifully executed.

The six-day detection delay. The most operationally damning detail is that Sky Mavis did not detect the theft for six days. The bridge did not have automatic alerting for unusually large withdrawals; the validator infrastructure did not have intrusion detection that caught the unauthorised signing activity. Discovery came only when a user filed a support ticket reporting a failed withdrawal — by which point the funds had been moved through multiple laundering hops.

The laundering pipeline. Stolen funds were laundered through Tornado Cash (the Ethereum mixer that was subsequently OFAC-sanctioned), various cross-chain bridges, and several centralised exchanges. Forensic analysis by Chainalysis and others traced the bulk of the funds; a significant fraction has been recovered or frozen through OFAC sanctions and exchange cooperation. The recovery process continues.

Impact

The Ronin hack reframed industry understanding of bridge risk. Prior to Ronin, bridges were treated as secure infrastructure analogous to exchanges; after Ronin, they were recognised as concentrated single points of failure holding pooled assets across many users. The attack also brought North Korean state-sponsored crypto theft into public awareness: the US Treasury's attribution made it explicit that crypto holdings on poorly-secured infrastructure were a target for state-level adversaries, not just opportunistic criminals. Sanctions actions against Tornado Cash followed in August 2022, in part driven by Lazarus's use of the mixer to launder Ronin proceeds. Sky Mavis's $150 million emergency raise and full reimbursement of affected users set a precedent for how bridge operators might respond to exploits, but also raised questions about whether such reimbursement is reliably available.

Operational lessons

  1. 1Bridge validator sets must be operationally diverse. A 5/9 multisig where 5 keys are held by a single organisation is functionally a 1/1 multisig from a compromise perspective. Modern bridge security requires validator sets controlled by different organisations with different operational security postures.
  2. 2Access grants must have automatic expiry. The Axie DAO's emergency signing access was a temporary operational accommodation that became a permanent attack surface. Every emergency access grant should have a hardcoded expiry and an alert when it remains active beyond its intended window.
  3. 3Detection cannot rely on user reports. The six-day delay between the attack and Sky Mavis's discovery represents a complete operational failure of bridge monitoring. Any system holding pooled value must have automatic alerts for unusual outflows, large transactions, and signing events that don't correspond to expected operations.
  4. 4State-sponsored attackers are part of the threat model. Lazarus Group has been linked to multiple major crypto thefts (Harmony Horizon bridge, Atomic Wallet, Stake.com, others). They have sophisticated infrastructure, persistent access campaigns, and a strong incentive (state revenue) to keep operating. Crypto-infrastructure operators should assume state-level adversaries are a baseline threat.
  5. 5'Decentralised' bridges aren't necessarily decentralised in practice. Ronin's 9-validator scheme appeared decentralised on paper. In practice, operational control was concentrated. Future bridge users should ask whether validator-set diversity is real or theatrical.

Aftermath

Sky Mavis raised $150 million from Binance, Animoca Brands, a16z, and others to fully reimburse affected users; the bridge was restarted in June 2022 with an expanded 11-validator set and substantially overhauled monitoring. Axie Infinity's user base never recovered to its 2021 peak; the play-to-earn boom faded for other reasons (economic unsustainability of the in-game token model). The Ronin attack became the lead example in nearly every bridge-security discussion and led directly to several research initiatives on bridge-architecture alternatives (zk-bridges, optimistic bridges, intent-based cross-chain transfer). North Korea's Lazarus Group continued to be linked to crypto thefts through 2023 and 2024, including the Stake.com and CoinEx exploits, suggesting the operational pattern is sustained at state-level scale.

Sources & further reading

We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.

Related on Block Clarity Hub

DeFi Safety L6 — Bridges revisited
Bridges and cross-chain risk
Bridge Safety Guide
Spotted an error? Report it on GitHubour correction policy