Stake.com Suffers $41.4 Million Security Breach

Summary

On September 4, 2023, Stake.com, a crypto gambling protocol offering casino games and sports betting, was targeted by the Lazarus Group (also known as APT38), a group of DPRK cyber actors. The group exploited access control vulnerabilities and extracted approximately $41.4 million worth of various digital assets from the platform’s hot wallets across Ethereum, Binance Smart Chain (BSC), and Polygon networks. Stake.com reassured users that their funds were safe, and all other wallets remained operational. The stolen funds were accurately distributed across multiple addresses and chains. Some affected addresses were holding over $13 million worth of various tokens as of September 7, 2023.

Attackers

The FBI has identified the Lazarus Group as the responsible party for this attack. The following addresses were used to transfer the funds:

Losses

Stake.com lost around $41.4 million in total from its hot wallets across several chains:

  • $15,693,631 on Ethereum
  • $17,839,572 on BSC
  • $7,875,700 on Polygon

The stolen assets included cryptocurrencies, such as ETH, USDT, USDC, DAI, BNB, MATIC, LINK, and SHIB.

Timeline

Security Failure Causes

Private Key Compromise: The Lazarus Group likely obtained access to private keys through a combination of social engineering and malware attacks. This allowed them to bypass security measures and directly access the hot wallets.