Play-to-Earn Game Token Collapses After Hacker Cashes Out

WonderHero, a cryptocurrency-based play-to-earn game, announced on Thursday that it was suspending all services after the price of its token crashed dramatically after a hacker was able to mint the game’s token and cash out for around $300,000. 

In an official announcement, WonderHero confirmed that “there was an attack on our cross-chain bridging withdrawal,” and that “ the attackers managed to get the signature and minted 80M $WND,” referring to the game’s cryptocurrency. 

According to data from CoinMarketCap, the price of WonderHero's token (WND) plummeted by nearly 50 percent on Thursday morning after the hacker cashed out. Before confirming the hack, the company wrote on Twitter that “we understand that the community is concerned with the sudden WND price drop. Our team is looking into this issue and we will update as soon as we can,” WonderHero tweeted. 

In another tweet, the company said that it was suspending virtually all operations, including game services, smart contracts, deposits, withdrawals, and trading services.

WonderHero is an anime-inspired mobile RPG game set in a future where “Earth has been polluted by the aftermath of nuclear war, with the last of human civilization moving to inhabit the massive space station, Icarus VI,” according to the game’s official site. Players collect characters’, weapons, and equipment that are all NFTs. To upgrade them, the players have to purchase or earn the game’s cryptocurrency, called WND, to upgrade them. 

The incident comes a week after a hacker stole more than $600 million in cryptocurrency from a bridge operated by another play-to-earn game, Axie Infinity. In that case the hacker “used hacked private keys in order to forge fake withdrawals,” according to the company. In other words, the hacker exploited a bridge in the Ronin network, a blockchain built to interact with the Ethereum-based Axie Infinity, by taking control of a majority of its validator nodes, which are authorized to verify and approve transactions. 

Tal Be’ery, a cybersecurity researcher and the chief technology officer of ZenGo, a crypto wallet app, said that the WonderHero hacker likely accessed the company’s private key, which allowed them to mint new tokens.

“How do we know the private key was stolen? In order to add someone as ‘miner’ you need access to the private key to sign the relevant transaction,” Be’ery told Motherboard in an online chat. “There's no technical way to know how the key got to the attackers, but it's clear they got it.”

Certik, a cryptocurrency cybersecurity firm, wrote on Twitter that the incident was a “possible hack.” PeckShield, another company that tracks cryptocurrency hacks, Tweeted at WonderHero pointing to the suspected hacker’s transaction on the Binance Smart Chain, saying “you may want to take a look.” The transaction shows someone transferring 80 million WND tokens worth more than $300,000 into their wallet from a null address linked to the project. All of those tokens have now been moved out of that wallet. 

Motherboard reached out to WonderHero’s co-founder and CEO Ethan Ng via Twitter and LinkedIn, to the company’s chief marketing office Zander Lian via LinkedIn, and to the company’s operations manager Priscilla Thoo via LinkedIn. None of them responded to the requests for comment. 

Motherboard reached admins on WonderHero’s Discord channel for comment, and quickly received a ban. Two admins for the WonderHero’s Telegram channel did not respond to private messages on the platform asking for comment.  

In its announcement, the company promised to create a new smart contract and “fairly” compensate all its supporters with new tokens based on the amount of WND they owned before the hack.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.