On September 4th, 2023, Stake.com, one of the world’s largest crypto casinos, fell victim to a cyberattack. The hack by the Lazarus Group siphoned over $41 million worth of various cryptocurrencies from its hot wallets. The cyberattack was believed to be the cause of a “key leak,” which allowed hackers to access the platforms ETH, Polygon, and BSC hot wallets. This Darknet hacking group has become infamous and more prominent in the cyberattacking space over recent years. What’s actually happened here?
Stake.com Hacked
On September 4th, 2023, Stake.com’s Ethereum hot wallet was breached by a cyberattack. The platform was first alerted on X ( formerly Twitter) by Cyvers, a “proactive” AI-based blockchain security firm, who noticed a suspicious native transaction of $15.7 million worth of ETH, DAI, USDT, and USDC coming directly from the Stake.com Ethereum address. While every now and then, users have spent well over a million dollars on the platform, $15,7 was like nothing Stake had seen before.
Several moments later, a further $25.6 million worth of digital assets was claimed to have been siphoned, according to ZachXBT, a blockchain analyst. In addition, a report released by Beosin, a security firm, confirmed the total hacked amount to be at least $41.3 million [According to Ether scan] , which was made up of $15.7 million worth of Ethereum, $17.8 million across the Binance Smart Chain, and a further $7.8 million in Polygon.
As soon as the Stake team realized the issue, they paused all services to sort it out. Going offline for about 5 hours.
The cyberattack was believed to have been caused by a “key-leakage”, which granted cybercriminals access to Stake’s hot wallets. This assumption was confirmed by the CEO of Cyvers, Deddy Lavid, who claimed the incident to be “a private key leakage”. Lavid further stated that the breach “Could be a rug pull or access control violation”.
Private keys were not compromised but the attacker was able to make several unauthorised transactions from our hot wallets
CEO of Cyvers, Deddy Lavid
Despite the speculation, Stake.com co-founder. Edward Craven further threw spanners in the works and released a statement saying that the breach was not related to the hackers gaining access to its private keys.
Its co-founder further assured users that their funds remained secure despite the breach, and the platform remained unaffected. The breach was directed at a heavily trafficked hot wallet of the platform and the attack was a “Sophisticated breach” that targeted a service Stake.com uses to authorize its transactions on the Ethereum, Polygon, and BSC blockchains.
The hack resulted in approximately $41.3 million worth of digital assets being drained from the Stake’s hot wallet. As a direct result, Stake.com temporarily disabled its withdrawal and deposits in order to ascertain the extent of the hack and to trace any misappropriated funds. Stake and the FBI worked together to realise an unfortunate truth.
Lazarus Group Join The Chat
Several days later, on September 7th, 2023, The Federal Bureau of Investigation (FBI) released a statement claiming that a cyberattack on Stake.com was the work of the notorious North Korea-linked ‘Lazarus’ hacker group. We’ve reported on them multiple times before. It looks like they’re back from the dead again!
The FBI shared the results of its own investigation and listed the addresses of several digital wallets that contain stolen digital assets. The Bureau further stated that the Lazarus group funneled funds across the Bitcoin, Ethereum, Polygon, and Binance Chain Networks. It is still unclear how the entity came to its conclusions.
An investigation led to the conclusion that the attacker’s digital fingerprints connected the incident to other recent cyberattacks, such as the $100 million siphoned from Atomic, $60 million from Alphapo, claiming the group had stolen more than $200 million in 2023.
In 2022, the Lazarus Group was linked to the biggest heist in crypto history worth $622 million which diminished the Ronin Network. Funds from the cyberattacks are claimed to be funding North Korea’s nuclear weapon program.
In recent months, Github issued a statement warning developers of a new North Korean threat designed to compromise victims via malicious npm package dependencies. The attacks were targeted at individuals from the blockchain, online gambling, and cryptocurrency sectors.
In this case, Stake’s breach was slightly more sophisticated than just using a bug to infiltrate a smart contract.Little is still known on how in fact the Lazarus Group managed to access Stake.com’s hot wallet. It is presumed that a private key to the platform’s hot wallet was leaked, instead of using a bug to infiltrate a smart contract.
According to Chainanalysis, the Lazarus Group previously used the coin-mixing protocol ‘Tornado Cash’ to move stolen funds. Tornado Cash was later sanctioned by the Treasury Department for allegedly assisting in laundering 7 billion worth of digital assets.
The North Korean group has presumably resorted to using chain-hopping in order to launder stolen funds. The FBI further advanced these theories by stating that the stolen funds had been traced to 33 different addresses, which the Lazarus Group had used to move from Stake’s Binance Smart Chain, Ethereum, and Polygon networks.
In an attempt to fight the situation, the FBI have requested that all blockchain monitors and cryptocurrency exchanges are to closely monitor the addresses released in their statement. All platforms are to refrain from any transactions with the addresses under investigation.
What the hack means for Stake.com users
Stake.com temporarily disabled its withdrawals and deposits post-attack. However, the platform resumed normal operations within the span of five hours, with none of its users suffering any financial losses. They don’t seem overly bothered according to social media as they are speaking about it much and focusing on other things.
The attack may have drained several millions worth of digital assets from the platform. Despite this, the platform remains safe and secure for its users. However, the attack does place some light on the need for a change.
State’s Response
The Stake team has notably been quiet since the exploit, only stating the bare minimum via their X account. Co-founder, Ed Craven assured users that their funds remained safe and no private key had been leaked. However, in light of the FBI’s announcement, Stake’s co-founder joined a popular Twitch streamer ‘Adin Ross’ to share his views on the incident.
Ed Craven, Stake’s co-founder, suggested sending Adin Ross to North Korea in hopes of negotiating a return of the stolen $41 million.
Conclusion
Despite the setback, Stake.com showed its resilience to the breach by reopening all withdrawals and deposits within five hours post-attack.
The draining of such a large amount of crypto is a tough pill for Stake.com to swallow. However, according to the company accounts obtained by the Financial Times, Stake.com recorded over 2.5 billion in gross gaming revenue in 2022.
The incident may be insignificant in hindsight, however, it highlights the vulnerability of crypto casinos to cybercrimes and the need for change. Blockchain analysts have suggested that crypto casinos and trading platforms should convert from relying on the use of hot wallets to cold wallets in order to secure digital currencies.
Cold wallets by their very nature, are more secure than hot wallets. However, these wallets use offline hardware to store crypto and are not connected to the internet. Whereas hot wallets are easier to use, connected to the internet and store all information, including private and public keys, online.
Hey there, I’m a dark web geek who’s been around for the last 8 years. More precisely, I’m livedarknet’s senior content writer who’s been writing about darknet marketplaces, tutorials, and cybersecurity stuff for educational purposes.