Or malicious...similar to the DAO hack from 2017 suspected of being an inside job (with evidence pointing to the insider who lawyered up to refute it with code-is-law argument), somebody was accountable for security and they deemed it not worth it to secure it.
Axie Infinity was already struggling, and this happens a day or two away from scheduled distribution of rewards & update release.
Cui bono? Who could've known they were carrying funds in a hot wallet other than the people directly involved with the project? Unless there was a way to discover this from the outside?
Somebody at Axie Infinity could have been asking whether they want to get paid 0.025% of that hot wallet yearly or have it all up front, today. After all it isn't cash sitting at a bank they have to rob.
It isn't like monitoring would have done anything. Once the transaction goes out it is gone. The core problem here is the massive private-key bounty being created by a ton of organizations that don't have world-class security teams.
True, but you would think they’d notice $650,000,000 missing before a user reported an issue withdrawing $5,000 (edit - 5k ETH). It’s honestly so impossible to believe that I’d wager the real story is they knew and were actively trying to recover the funds.
But the attacker used 2 transactions. The first one should have been flagged immediately. Plus the servers themselves were compromised. Four of them. The attacker was able to take control of 4 different servers without even being noticed. This is just one massive secops fail.
