Stake.com Suffers $41.4 Million Security Breach

Summary

On September 4, 2023, Stake.com, a crypto gambling protocol offering casino games and sports betting, was targeted by the Lazarus Group (also known as APT38), a group of DPRK cyber actors. The group exploited access control vulnerabilities and extracted approximately $41.4 million worth of various digital assets from the platform’s hot wallets across Ethereum, Binance Smart Chain (BSC), and Polygon networks. Stake.com reassured users that their funds were safe, and all other wallets remained operational. The stolen funds were accurately distributed across multiple addresses and chains. Some affected addresses were holding over $13 million worth of various tokens as of September 7, 2023.

Attackers

The FBI has identified the Lazarus Group as the responsible party for this attack. The following addresses were used to transfer the funds:

• Ethereum:
  • 0x3130662aece32f05753d00a7b95c0444150bcd3c
• BSC:
  • 0x4464E91002c63a623A8A218bD5Dd1f041B61ec04
• Polygon:
  • 0xfe3F568d58919B14aFf72BD3F14e6f55Bec6C4E0

Losses

Stake.com lost around $41.4 million in total from its hot wallets across several chains:

• $15,693,631 on Ethereum
• $17,839,572 on BSC
• $7,875,700 on Polygon

The stolen assets included cryptocurrencies, such as ETH, USDT, USDC, DAI, BNB, MATIC, LINK, and SHIB.

Timeline

• September 4, 2023, 12:48 PM UTC: The first malicious transaction was executed with 6,000 ETH being drained from the Ethereum hot wallet.
• September 4, 2023, 05:16 PM UTC: Stake.com reported the compromise of its ETH/BSC hot wallets.
• September 4, 2023, 09:25 PM UTC: Deposit and withdrawals on the platform were resumed.
• September 6, 2023: FBI identifies Lazarus Group as responsible for the theft and provided a list of involved addresses.
• September 7, 2023: Ed Craven, the CEO of Stake.com, published a post, stating that only a small portion of Stake’s bankroll was affected.

Security Failure Causes

Private Key Compromise: The Lazarus Group likely obtained access to private keys through a combination of social engineering and malware attacks. This allowed them to bypass security measures and directly access the hot wallets.