Verify a decision

{"actor":"system:backfill","investigation_id":"f9972424-1a26-4b10-a745-6db7ce736307","kind":"publish","page_slug":"ronin-bridge","published_at":"2026-05-20T22:36:25.165Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Ronin Bridge","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://www.coindesk.com/tech/2022/03/29/axie-infinitys-ronin-network-suffers-625m-exploit"},{"credibility":3,"name":"","type":"other","url":"https://thedefiant.io/news/blockchains/ronin-returns-to-ethereum-while-tvl-remains-95-below-2022-bridge-hack-level"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://www.halborn.com/blog/post/explained-the-ronin-hack-march-2022"},{"credibility":3,"name":"","type":"other","url":"https://www.theblock.co/post/156038/how-a-fake-job-offer-took-down-the-worlds-most-popular-crypto-game"},{"credibility":3,"name":"","type":"other","url":"https://thehackernews.com/2022/07/hackers-used-fake-job-offer-to-hack-and.html"},{"credibility":3,"name":"","type":"other","url":"https://www.coindesk.com/policy/2022/04/14/us-officials-tie-north-korean-hacker-group-to-axies-ronin-exploit"},{"credibility":3,"name":"","type":"other","url":"https://cyberscoop.com/ronin-bridge-hack-lazarus-group-north-korea-treasury-sanctions/"},{"credibility":3,"name":"","type":"other","url":"https://techcrunch.com/2022/04/15/us-officials-link-north-korean-lazarus-hackers-to-625m-axie-infinity-crypto-theft/"},{"credibility":3,"name":"","type":"other","url":"https://www.coindesk.com/business/2022/04/08/axie-infinity-builder-takes-full-responsibility-for-625m-ronin-hack-exec-says"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://www.chainalysis.com/blog/axie-infinity-ronin-bridge-dprk-hack-seizure/"},{"credibility":3,"name":"","type":"other","url":"https://www.elliptic.co/blog/540-million-stolen-from-the-ronin-defi-bridge"},{"credibility":3,"name":"","type":"other","url":"https://home.treasury.gov/news/press-releases/jy0916"},{"credibility":3,"name":"","type":"other","url":"https://cointelegraph.com/news/law-enforcement-recovers-30-million-from-ronin-bridge-hack-with-the-help-of-chainalysis"},{"credibility":3,"name":"","type":"other","url":"https://www.theblock.co/post/168663/chainalysis-and-us-law-enforcement-recover-30-million-from-north-korea-linked-ronin-exploit"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://techcrunch.com/2022/04/06/axie-infinity-creator-raises-150m-round-to-compensate-victims-of-625m-ronin-hack/"},{"credibility":3,"name":"","type":"other","url":"https://www.coindesk.com/business/2022/04/06/sky-mavis-raises-150m-round-led-by-binance-to-reimburse-ronin-attack-victims"},{"credibility":3,"name":"","type":"other","url":"https://www.halborn.com/blog/post/explained-the-ronin-network-hack-august-2024"},{"credibility":3,"name":"","type":"other","url":"https://therecord.media/hackers-return-12-million-taken-from-ronin-network"},{"credibility":3,"name":"","type":"other","url":"https://blog.roninchain.com/p/the-ronin-bridge-chainlink-ccip-migration"},{"credibility":3,"name":"","type":"other","url":"https://dappradar.com/blog/ronin-increases-security-measures-and-adds-more-validators"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://cyberscoop.com/ronin-bridge-hack-lazarus-group-north-korea-treasury-sanctions/"},{"credibility":3,"name":"","type":"other","url":"https://home.treasury.gov/news/press-releases/jy0916"},{"credibility":3,"name":"","type":"other","url":"https://techcrunch.com/2022/04/15/us-officials-link-north-korean-lazarus-hackers-to-625m-axie-infinity-crypto-theft/"},{"credibility":3,"name":"","type":"other","url":"https://www.chainalysis.com/blog/tornado-cash-ofac-designation-sanctions/"}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"","type":"other","url":"https://thedefiant.io/news/blockchains/ronin-returns-to-ethereum-while-tvl-remains-95-below-2022-bridge-hack-level"},{"credibility":3,"name":"","type":"other","url":"https://www.halborn.com/blog/post/explained-the-ronin-network-hack-august-2024"},{"credibility":3,"name":"","type":"other","url":"https://www.chainalysis.com/blog/axie-infinity-ronin-bridge-dprk-hack-seizure/"},{"credibility":3,"name":"","type":"other","url":"https://cointelegraph.com/news/the-aftermath-of-axie-infinity-s-650m-ronin-bridge-hack"}]}],"sources_used":[],"summary":"Ronin Bridge is the cross-chain bridge that connected the Axie Infinity gaming ecosystem's Ronin sidechain to Ethereum, operated by Sky Mavis. In March 2022 it suffered the largest DeFi hack in history at the time — $625 million in ETH and USDC stolen by North Korea's Lazarus Group via compromised validator private keys obtained through social engineering. A second, smaller exploit occurred in August 2024. The legacy bridge was deprecated in April 2025 and migrated to Chainlink CCIP infrastructure.","timeline":[{"date":"2021-11-01","event":"Axie DAO temporarily delegates validator signing authority to Sky Mavis to handle high transaction volume.","source":""},{"date":"2021-12-01","event":"Axie DAO delegation program expires, but Sky Mavis's signing permissions over the Axie DAO validator are never revoked.","source":""},{"date":"2022-03-23","event":"Attackers use compromised private keys for four Sky Mavis validators plus residual Axie DAO signing access to steal 173,600 ETH and 25.5M USDC ($625M) from the Ronin Bridge. The attack goes undetected.","source":""},{"date":"2022-03-29","event":"Ronin Network publicly discloses the exploit after a user reports an inability to withdraw 5,000 ETH. Bridge operations are halted.","source":""},{"date":"2022-04-06","event":"Sky Mavis announces a $150M fundraising round led by Binance, with a16z, Animoca Brands, Paradigm, and Accel participating, to reimburse hack victims.","source":""},{"date":"2022-04-14","event":"The FBI and U.S. Treasury OFAC officially attribute the attack to North Korea's Lazarus Group and APT38. OFAC sanctions the attacker's Ethereum wallet address (0x098B716B8Aaf21512996dC57EB0615e2383E2f96).","source":""},{"date":"2022-06-28","event":"Ronin Bridge relaunches after security audits by Verichains and CertiK. All affected users are fully reimbursed. Validator set expanded to 11 nodes with plans for 21+.","source":""},{"date":"2022-07-06","event":"Reports reveal the initial attack vector: a fraudulent LinkedIn job offer led a senior Sky Mavis engineer to download a malicious PDF containing spyware.","source":""},{"date":"2022-08-08","event":"OFAC sanctions Tornado Cash, citing over $455M in Ronin Bridge proceeds laundered through the mixer as a primary justification.","source":""},{"date":"2022-09-08","event":"Chainalysis and U.S. law enforcement announce seizure of more than $30M in stolen Ronin funds — the first-ever seizure of DPRK-stolen cryptocurrency. Total recovered reaches approximately $35.8M.","source":""},{"date":"2024-08-06","event":"A second Ronin Bridge exploit occurs: a contract initialization error during a V2 upgrade sets minimumVoteWeight to zero. MEV bots acting as white hats capture approximately $12M (4,000 ETH and USDC). Bridge is halted.","source":""},{"date":"2024-08-14","event":"White hat MEV operators return the $12M in full. Sky Mavis awards a $500,000 bug bounty. Beosin and Verichains complete security audits; bridge reopens.","source":""},{"date":"2024-12-01","event":"Chainlink CCIP goes live on Ronin Network, beginning the migration away from the legacy bridge infrastructure.","source":""},{"date":"2025-04-01","event":"Legacy Ronin Bridge formally deprecated. Full migration of $450M+ in assets across 12 token types to Chainlink CCIP is complete.","source":""}]},"v":1}