Crypto Hit by $63 Million Hack of ‘Munchables’ Game in One of Year’s Biggest Exploits

April 3, 2024 by

The crypto sector suffered one of its biggest security incidents this year after a hacker swiped $63 million from a blockchain-based game.

The game, Munchables, confirmed the incident in a post on X on Wednesday and said it would try to halt the transactions. Blockchain specialists PeckShield indicated the hacker stole 17,400 in Ether tokens — worth about $63 million at current prices. Public data on crypto transactions backed the estimate.

The exploiter appears to have had a change of heart, however, and returned the funds in full later the same day, according to blockchain data. Munchables declared “all user funds are safe,” in a post on X at around 2:30 p.m. Singapore time, adding in a separate post that the hacker had not insisted on any conditions.

Munchables is built on Blast, a so-called Layer 2 that promises more efficient transactions than established blockchains as well as airline-like loyalty points.

Blast’s founder, Tieshun Roquerre, who goes by the pseudonym Pacman, hailed the “incredible lift” required to secure Munchables’ funds after today’s exploit, in a post on X at 2:20 p.m. Singapore time. He added that “the ex Munchables dev opted to return all funds in the end without any ransom required.”

It seems @_munchables_ lock contract has an issue, which was exploited to drain 17.4K ETH ($62.3M) to the following address:

— PeckShield Inc. (@peckshield) March 26, 2024

Gamers in Munchables try to earn rewards by looking after, or farming, bug-eyed digital creatures. Earlier this week the project said the value of crypto tokens held in the protocol had topped $80 million.

The security incident triggered a flurry of unsubstantiated speculation that a rogue developer or even North Korean hackers were to blame.

The number of North Korean-linked hacks of crypto platforms hit a record high in 2023, though the actual amount of funds stolen — slightly more than $1 billion — dropped around 40%, based on data from blockchain sleuths Chainalysis Inc.

The Lazarus Group, a North Korean hacking unit, infamously stole around $600 million from the blockchain underpinning Axie Infinity, once one of the sector’s most popular games.

Security exploits overall cost the digital-asset industry about $1.8 billion last year, down around 50% from 2022, according to Immunefi, a platform offering bounties to researchers who spot security flaws in crypto software.

Top photo: Coaxial cables connect to a computer server unit inside a communications room at an office in London, U.K., on Monday, May 15, 2017. Governments and companies around the world began to gain the upper hand against the first wave of an unrivaled globalcyberattack, even as the assault was poised to continue claiming victims this week. Photographer: Chris Ratcliffe/Bloomberg.