We continue to track notable convergences in the Global Gaming Ecosystem – like our recent analysis of  North Korea’s ‘Moonstone Sleet’ hacking group using a fake tank game for ransomware attacks.  In this post you will find the details of a May 2024 gaming platform-based cybercrime incident: The theft of $22 million in crypto from the blockchain-based platform Gala Games.

A Generational Shift: The Global Gaming Ecosystem as Attack Surface and Point of Entry

In the April 2023 OODA Network Member Meeting discussion – The DoD Discord Leak and the Future of Security Measures – there was the realization that” we have this generational shift that is going on right now with the younger generations that are fully digital and born-digital – Gen Y, and Gen Z”….and beyond.  Discord’s server-based community and communications were central to the 2023 Airman Jack Texeira case. Still, by all accounts, Discord-based comms usually run parallel to multi-player gaming activity amongst this age cohort.   Fortnite, Minecraft, and Roblox?  All are current building blocks of the future metaverse.  The Global Gaming Ecosystem is all at once an attack surface and point of entry.  Game worlds are already a clear gathering place – but do law enforcement and the IC have adequate entry into these communities for attribution efforts in response to incidents based on these platforms and in these younger communities?

Anatomy of the Gala Games Cyber Heist

“The combination of gaming and cryptocurrency introduces a new layer of risk…thus necessitating stronger preventive measures and greater scrutiny by regulatory agencies.”

Hey Everyone…

I always knew there was a reason I never talk shit about other projects getting hacked…I’m sorry to say we had an incident that resulted in the unauthorized SALE of 600million (21million usd) $GALA tokens and the effective BURN of 4.4 billion tokens.

We…

— benefactor (@Benefactor0101) May 20, 2024

The security incident involving the $GALA token has been contained and the impacted wallet has been frozen.

This was an isolated incident, the cause of which has been addressed and we are working closely with law enforcement to investigate the individuals behind the breach.…

— Gala Games (@GoGalaGames) May 21, 2024

A compromised or rogue Gala Games admin address minted 5 Billion $GALA ($200M) and has been systematically selling the tokens for the past 2 hours.

This is why decentralization is important – I prefer “can’t be evil” over “don’t be evil”, and design with that in mind.

Outlaw… pic.twitter.com/aZkQZ2zYi6

— Quit (@0xQuit) May 20, 2024

$22 million in crypto swiped from Gala Games blockchain platform

As reported by Jonathan Greig at The Record:

More than $22 million worth of cryptocurrency was stolen from Gala Games this week after someone compromised the blockchain platform. The company confirmed that it dealt with a security incident on Monday night, writing on social media that it was an ‘isolated incident, the cause of which has been addressed.’ Why it matters:

1. Weaknesses in blockchain platforms: This incident underlines potential vulnerabilities existing within blockchain gaming platforms. Despite the Gala Games breach being identified as an ‘isolated incident’, it exhibits how hackers can exploit such platforms and wreak havoc by stealing massive amounts of cryptocurrency. Similar platforms have also been on the receiving end of such attacks in the past, hinting at a broader issue in blockchain security.
2. Quick response but unresolved issues: The Gala Games team was able to promptly identify the breach and disable the unauthorized access within 45 minutes, but not before the hacker had traded in a significant amount of GALA coins for Ethereum. The fact that these platforms can be attacked and compromised, despite rapid-response mitigation tactics, raises questions about their inherent security measures and their efficacy.
3. Emerging threat in the gaming-cryptocurrency crossover: Gala Games, like many of its peers, operates a play-to-earn model that rewards users with proprietary digital currency. The combination of gaming and cryptocurrency introduces a new layer of risk, as seen by similar breaches in platforms like WonderHero and Axie Infinity, thus necessitating stronger preventive measures and greater scrutiny by regulatory agencies.

Gala Games was created in 2019, touting itself as the first blockchain gaming platform.

Schiermeyer is best known for co-founding Zynga, a large gaming company behind popular online games like FarmVille. Similar  platforms have been a frequent target for hackers. About $320,000 worth of Binance Coin (BNB) was stolen from cryptocurrency play-to-earn game WonderHero.   One of the biggest cryptocurrency hacks on record — involving the popular blockchain game Axie Infinity — saw more than $600 million siphoned from the platform in 2022.   The U.S. Treasury Department attributed the Axie Infinity [Ronin Defi network] incident to North Korean government operators, who have stolen billions from cryptocurrency firms over the last three years.

2022:  North Korean APT Targeting Blockchain – The Ronin DeFi Network Hack and Blockchain Analysis Techniques for Attribution

A specific attribution has emerged around the giant $618 million hack in the March 2022 hack of the Ronin Network, in which “hackers [stole] more than $600 million worth of Ethereum (173,600 ETH) and $25.5 million of US dollar-pegged stablecoin USDC, making it one of the largest decentralized finance (DeFi) hacks to date.   The company, which is tied to the popular blockchain game Axie Infinity, said in a Substack post that they suffered a security breach on March 23. Sky Mavis, a blockchain gaming company, built and controls the Axie Infinity game.” (1)  In April 2022, the U.S. Treasury has attributed The Lazarus Group to the Ronin Network heist.

In 2022: $1B in Crypto Blockchain Bridge Heists, Growing National Security Concerns and the Secure Blockchain Initiative

Blockchain Bridge Hacks: The Ronin Network ($618M), WonderHero ($320K), and Wormhole ($324M)

“…WonderHero is an NFT-based crypto Pokemon-like gaming platform…”

Two cryptocurrency “play to earn” sites based on the blockchain were recently hacked:

• The Mammoth $618 million Hack of the Ronin Network: “The Ronin Network announced on Tuesday that hackers have stolen more than $600 million worth of Ethereum (173,600 ETH) and $25.5 million of US dollar-pegged stablecoin USDC, making it one of the largest decentralized finance (DeFi) hacks to date.   The company, which is tied to the popular blockchain game Axie Infinity, said in a Substack post that they suffered a security breach on March 23. Sky Mavis, a blockchain gaming company, built and controls the Axie Infinity game;” (2) and
• The Hack over at WonderHero:  “One of many popular games where players earn revenue in cryptocurrencies and NFTs through gameplay [aka “‎an NFT-based crypto Pokemon-like gaming platform“], WonderHero currently has about 11,000 active users. The service was disabled after hackers stole approximately $320,000 worth of Binance Coin (BNB).  In a statement, the company explained that the attack was on their cross-chain bridging withdrawal:   A cross-chain bridge – also known as a blockchain bridge – allows people to transfer tokens, assets, smart contract instructions, and data between blockchains. They have become a ripe target for hackers in recent months and exploits in bridges have led to millions of dollars in losses.  The attack caused the price of WonderHero’s own coin, WND, to plummet more than 90%.” (3)

The $324 million Wormhole blockchain hack (back in February) is also worth exploring.  The core design principle behind the blockchain is distributed trust – based on a distributed ledger, inclusive of encrypted anonymity – and what the market to date has assumed was that implicitly strong cybersecurity and protection against hacking activity was built into the design of the blockchain architecture.  This assumption is what makes the Wormhole, Ronin Network and WonderHero blockchain hacks, in particular, really troubling.   Brandon Vigliarolo over at the Tech Republic does a great job of breaking down the Wormhole blockchain hack: 

“Those following the tech world have probably heard about the recent hack of blockchain bridging service Wormhole that has amounted to the fourth-largest crypto theft, and second-largest De-Fi theft, ever. The attacker who found the exploit created 120,000 Ethereum out of nothing and made off with about $324 million of it.  For background, Wormhole is a service that lets users exchange cryptocurrencies across blockchains, sort of like swapping one fiat currency for another. In this particular case, the attacker exploited Wormhole in such a way that they were able to trick it into minting 120,000 wrapped ethereum (wETH, a 1:1 value equivalent token that represents ethereum) on the Solana blockchain, most of which the attacker then moved to the ethereum blockchain.  Unfortunately for Wormhole, all of that exploit-created wETH had to steal value from somewhere, and it came from Wormhole’s store of Ethereum that lets it back all the wETH on its network.” (1)

What Next?

The Future of Blockchain Security, National Security, Cybersecurity, and Health Security

The OODA Loop Blockchain Series includes case studies of blockchain security initiatives and cybersecurity incidents.  We tracked down the best-in-class research efforts and subject matter experts to explore how they are “framing and naming” the formative issues around blockchain security, including the national security, cybersecurity, and health security promise and peril.

In April 2022, the crypto market was described euphemistically as “experiencing significant downside pressure” or “had a very bleak May” – while most proclaimed a full-on crash.  The WSJ declared in mid-May 2022 that $1 trillion of crypto vanished in just six months – while still others argue that the digital assets were overpriced and ripe for such a correction.  Trust is central to monetary systems, especially in ecosystems designed for the capture, storage, and transaction of value.   Trust continues to be shattered in the world of crypto, DeFi and for blockchain business models across a variety of industry verticals  – as security vulnerabilities and hacks continue to plague the technology.

Additional OODA Loop Resources

For more News Briefs and Original Analysis on NIST and the NVD, go to

OODA Loop |  WonderHero |  Lazarus Group |  Axie Infinity |  Ronin DeFi Network | Ronin Network

Cyber Risks

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic in its reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

Recommendations for Action

Decision Intelligence for Optimal Choices: The simultaneous occurrence of numerous disruptions complicates situational awareness and can inhibit effective decision-making. Every enterprise should evaluate its methods of data collection, assessment, and decision-making processes for more insights: Decision Intelligence.

Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the responsibility of the IT department or the CISO – it’s a collective effort that involves the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses

The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance

Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront external threats, many of which are unpredictable. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. All organizations, regardless of their size, should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning

Track Technology-Driven Disruption: Businesses should examine technological drivers and future customer demands. A multidisciplinary knowledge of tech domains is essential for effective foresight. See Disruptive and Exponential Technologies.