VulcanForge becomes the third cryptocurrency company to be hit by hackers this month. In total, hackers have stolen more than $400 million.

In the latest hack targeting cryptocurrency investors, hackers stole around $135 million from users of the  blockchain gaming company VulcanForge, according to the company. 

The hackers stole the private keys to access 96 wallets, siphoning off 4.5 million PYR, which is VulcanForge’s token that can be used across its ecosystem, the company said in a series of tweets on Sunday and Monday. VulcanForge’s main business involves creating games such as VulcanVerse, which it describes as an “MMORPG,” and a card game called Berserk. Both titles, like pretty much all blockchain games, appear chiefly designed as vehicles to buy and sell in-game items linked to NFTs using PYR.  


The VulcanForge hack is notable because, like many new tokens, PYR trades on decentralized exchanges. Decentralized exchanges run on smart contracts, and because there’s no centralized order book, investors trade against “liquidity pools” with funds contributed by users who earn a “staking” reward in return. It also means there’s no central authority to blocklist a malicious account trying to cash out stolen funds. 

Since the hack, VulcanForge has advised users to remove their liquidity in order to make it difficult or impossible for the attacker to cash out. As The Block reported, the hacker has so far managed to cash out most of the tokens by trading small amounts at a time, although not without sending PYR’s price into a downward spiral due to the sell pressure. On Discord, a bot message has been asking users every half hour: “Anyone that has LP in uniswap or quickswap remove it ASAP.”

In crypto, compromising someone’s private key is a definitive “game over,” because it gives complete control over the funds held by the corresponding address on a blockchain. 

A VulcanForge staff member on Discord claimed on Monday morning that centralized exchanges (CEX) had been notified of the hack. “All the CEX we have partnered with are tracking the addresses and movement of funds. The funds would get seized by the exchange upon deposit,” the staff member said.

On Monday, the company said in a tweet that it had already refunded the majority of stolen PYR, and claimed that it had “isolated” all tokens stolen on centralized exchanges. “Those who knows [sic] VF history, knows [sic] this just makes us stronger,” the company wrote in another tweet