spot_img
29.2 C
Philippines
Saturday, November 23, 2024

BSP warns of risk of tokens in e-games

The Bangko Sentral ng Pilipinas (BSP) warned the public again on the risks of non-fungible tokens (NFTs) following the theft of $615 million worth of digital tokens from a digital ledger used by players of the popular online game Axie Infinity.

About 35 percent of traffic in Axie Infinity comes from the Philippines, accounting for the biggest share of its 2.5 million daily active users.

- Advertisement -

Bridget Rose Mesina-Romero, BSP Payment System Oversight Department Deputy Director, called on the public to exercise caution over play-to-earn games, noting the risks that come with them.

“We have been reminding the public that they should be aware of how these games work, the risks attendant to them, and they should for example know how they can have recourse or remedies,” she said in a virtual briefing on Thursday.

“They should only place funds that they are willing to lose because of the risks,” Mesina-Romero added.

Investigators are on the trail of the hackers, watching the money as it moves around a system that critics call the Wild West of finance.

But they are playing catch-up: the gaming company that got scammed apparently did not even notice for six days.

The hack is one of the biggest to hit the crypto world, raising huge questions about security in an industry that only recently burst into the mainstream thanks to celebrity promotions and promises of untold wealth.

Axie Infinity maker Sky Mavis said they were made aware of the security breach on Tuesday, after Ronin said hackers gained access to private keys to withdraw digital funds.

The firm said it would recover or reimburse the funds, easing the anxiety of gamers — particularly in the Philippines where hundreds of thousands play Axie Infinity.

“Some of the Philippine community right now are going crazy because of what happened,” Dominic Lumabi, a gamer from Manila, told AFP.

Some feared the game would close and money would be lost, he said, adding that he was relieved Sky Mavis was being transparent.

But the firm faces a tough challenge to get the money back.

This comes after the Ronin Network— used by Axie Infinity as its digital ledger—said hackers amassed 173,600 Ether and $25.5-million worth of the USD Coins, equivalent to $615 million as of Tuesday but worth $540 million at the time of the attack.

The BSP earlier said it is monitoring transactions involving AxieInfinity’s small love potions (SLPs), which users can either cash out or use to breed new Axies or digital pets.

The central bank earlier noted that SLPs are excluded from its scope under the guidelines for Virtual Asset Service Providers, as its regulatory focus is on the exchange of fiat money for virtual assets.

Sky Mavis is not registered as an operator of payment systems (OPS), and the BSP said it is in coordination with other regulators to determine whether the firm should fall under such a category.

“Since this is a digital field, it creates a borderless area where fraudsters can really enter and perform illicit activities, so the public should practice cyber hygiene in order to protect your personal data and identity,” Romero said.

In the same briefing, BSP Governor Benjamin Diokno reiterated the volatility that comes with digital tokens.

“We wish to emphasize that there are risks associated with NFTs such as price volatility which may result in significant financial losses, and also other types of risks relating to cyber fraud and scams,” he said.

“As such, we would like to remind the public to transact only with BSP-registered entities,” he added.

The sector has been beset by scams and hacks.

This week’s theft from Axie Infinity, a game where players can earn crypto through game play or trading their avatars, came just weeks after thieves made off with around $320 million in a similar attack.

“We are seeing more hacks because there is more money in blockchain,” said Roman Bieda of Coinfirm, a crypto security company, referring to the technology that underpins cryptocurrencies.

The industry should have learned the lessons from previous attacks, but security was still being sacrificed for profit, he added, labelling Axie’s failure to notice the hack a “huge deficiency”.

The Axie Infinity attackers exploited weaknesses in the set-up put in place by the Vietnam-based firm behind the game, Sky Mavis.

The company had to solve a problem: the ethereum blockchain, where transactions in the ether cryptocurrency are logged, is relatively slow and expensive to use.

To allow Axie Infinity players to buy and sell at speed, the firm created an in-game currency and a sidechain with a bridge to the main ethereum blockchain.

The result was faster and cheaper — but ultimately less secure.

Hackers were able to take over the sidechain and empty its coffers apparently without anyone realizing, something experts say would be all but impossible on the ethereum blockchain.

Security firms are monitoring the stolen money as it moves through various wallets, as accounts are called in the crypto-world.

Blockchain data platform Chainalysis is helping Sky Mavis track the money, and Elliptic said it was investigating and alerting its clients.

Bieda from Coinfirm said that sooner or later the perpetrators would be traced.

“The bigger the amount, the harder it is to hide,” he told AFP.

But even though investigators can see where the money is, there are tricks the thieves can use.

They can employ software that mixes the stolen money with legitimate streams, use exchanges with lax rules, or move their funds to a jurisdiction with no rules at all such as North Korea or Russia.

Any of those moves makes it much easier to transfer the cryptocurrency into everyday, spendable cash.

It is a “constant battle” between the thieves and those trying to stop them, said Bieda.

“Adoption (of cryptocurrency) is growing, more protocols and more solutions are created, but the pursuit of cheap transactions and profit means the industry sometimes… forgets about security.”

LATEST NEWS

Popular Articles