(Bloomberg) -- The creator of the popular play-to-earn Axie Infinity crypto game said it expects to recover at least a portion of the roughly $600 million of cryptocurrencies hackers looted from a software system linked to the game, while acknowledging that it may be a lengthy process. 

“What we are assuming over the next two years is that some funds will be recovered,” Aleksander Leonard Larsen, chief operating officer of Ho Chi Minh-based Sky Mavis, said in an interview on Thursday. “Two years for Axie is a good time for us to get more information. We’re here to play the long game.” 

Sky Mavis is working with various law enforcement agencies to locate and recover the tokens -- mostly Ether -- that were siphoned off by hackers in late March from a blockchain “bridge” that allowed players to move crypto into and out of the virtual world, Larsen said. He declined to provide details on the investigation. 

Besides raising money from investors to make players who lost funds whole, Sky Mavis will also take a $450 million balance sheet hit to ensure all the stolen crypto is replenished. 

Blockchain data shows that the stolen Ether tokens were deposited into Ethereum wallets, and some of the haul was then moved to Tornado Cash, a service that helps users mask transactions. Tornado’s technology breaks the link between the sender and receiver’s addresses on transactions sent to the Ethereum blockchain. 

It’s “very rare” that funds stolen in large crypto hacks are fully recovered, according to Rishav Rai, lead investigator at Merkle Science, which specializes in crypto crime. At the same time, once a major hack has been discovered, it’s difficult for the perpetrators to liquidate their loot. 

Crypto mixers like Tornado aren’t typically built to built to handle volumes of this magnitude, and moving the tokens through various exchanges and wallets “is not only expensive but time-consuming, not to mention extremely conspicuous,” Rai said March 30. 

The hackers gained access to five computers known as validator “nodes,” which allowed them to drain software known as the Ronin Bridge of 173,600 Ether and 25.5 million USDC tokens -- worth about a combined $600 million at currentg prices. To do so, they initially targeted a Sky Mavis employee in a so-called social engineering attack, Larsen said. 

“That person got access to our nodes through attacking one person on the team,” he said, without giving details. “The underlying technology for the Ronin network is still safe.” 

The company has said it doesn’t suspect any insider involvement in the hack. 

Users Flee

Sky Mavis has already moved to fully compensate gamers who lost money in the attack. It raised $150 million this week in a funding round led by Binance Holding Ltd. to finance reimbursing users. That deal was wrapped up within 48 hours, Larsen said, declining to comment on the valuation. 

To make up the difference and fully replenish the crypto drained in the hack, Sky Mavis is also using $450 million of its own money, Larsen said. The company remains in solid financial condition, he added. It has about $1.5 billion of cryptocurrencies in Axie Infinity’s treasury, where it parks fees paid by players for buying and minting the game’s blob-like NFT characters. It won’t tap the treasury funds to reimburse players. 

Sky Mavis also struck an agreement with Binance which allows gamers to deposit and withdraw crypto even as the Ronin Bridge remains suspended. To bolster defenses against future attacks, the number of validators required to sign off on withdrawals from the bridge has been raised to 21. 

Axie Infinity was losing users even before the hack. Data for the week ended March 28, a day before the theft was discovered, showed that the number had tumbled about 45% from a peak in November, to 1.48 million. Larsen attributed that largely to a steep drop in the value of the game’s rewards, which he said turned off players who participated purely to make money.

“This incident will plague us for a long time in the future, no doubt,” he said. “We feel like we failed to live up to the expectations of our users and we need to rebuild the trust. But I just think this is more as a lesson learned, and security needs will be a priority moving forward.”

©2022 Bloomberg L.P.