Stake.com Suffers $41.4 Million Security Breach

September 4, 2023

Summary #

On September 4, 2023, Stake.com, a crypto gambling protocol offering casino games and sports betting, was targeted by the Lazarus Group (also known as APT38), a group of DPRK cyber actors. The group exploited access control vulnerabilities and extracted approximately $41.4 million worth of various digital assets from the platform’s hot wallets across Ethereum, Binance Smart Chain (BSC), and Polygon networks. Stake.com reassured users that their funds were safe, and all other wallets remained operational. The stolen funds were accurately distributed across multiple addresses and chains. Some affected addresses were holding over $13 million worth of various tokens as of September 7, 2023.

Attackers #

The FBI has identified the Lazarus Group as the responsible party for this attack. The following addresses were used to transfer the funds:

Ethereum:
- 0x3130662aece32f05753d00a7b95c0444150bcd3c
BSC:
- 0x4464E91002c63a623A8A218bD5Dd1f041B61ec04
Polygon:
- 0xfe3F568d58919B14aFf72BD3F14e6f55Bec6C4E0

Losses #

Stake.com lost around $41.4 million in total from its hot wallets across several chains:

$15,693,631 on Ethereum
$17,839,572 on BSC
$7,875,700 on Polygon

The stolen assets included cryptocurrencies, such as ETH, USDT, USDC, DAI, BNB, MATIC, LINK, and SHIB.

Timeline #

September 4, 2023, 12:48 PM UTC: The first malicious transaction was executed with 6,000 ETH being drained from the Ethereum hot wallet.
September 4, 2023, 05:16 PM UTC: Stake.com reported the compromise of its ETH/BSC hot wallets.
September 4, 2023, 09:25 PM UTC: Deposit and withdrawals on the platform were resumed.
September 6, 2023: FBI identifies Lazarus Group as responsible for the theft and provided a list of involved addresses.
September 7, 2023: Ed Craven, the CEO of Stake.com, published a post, stating that only a small portion of Stake’s bankroll was affected.

Security Failure Causes #

Private Key Compromise: The Lazarus Group likely obtained access to private keys through a combination of social engineering and malware attacks. This allowed them to bypass security measures and directly access the hot wallets.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam