Audits
Services
Services
Smart Contract Audit
Blockchain Protocol Audit
Penetration Testing
Cloud Penetration Testing
dApp Audit
Crypto Wallet Audit
Cross-Chain Bridge Audit
Bug Bounty
Proof of Reserves
CCSS Audit
Tokenomics Audit & Design
Smart Contract Audit
Mitigate weaknesses in your smart contract and improve its functionality with a double line-to-line code analysis and a separate review by a lead auditor.
Blockchain Protocol Audit
Secure the entire architecture and implementation layers of your blockchain protocol with professional security audits and testing.
Penetration Testing
Proactively detect vulnerabilities in your Web3 project by subjecting your systems to a simulated cyberattack in a secure and controlled environment.
Cloud Penetration Testing
Secure your cloud with Hacken's expert penetration testing. Our certified team delivers tailored security solutions for AWS, Azure, Kubernetes, and more, ensuring your data's safety.
dApp Audit
Identify vulnerabilities in applications interacting with blockchain networks with secure code review and static security analysis.
Crypto Wallet Audit
Code review & static security analysis for crypto wallet apps.
Cross-Chain Bridge Audit
Code review & security analysis for cross-chain crypto bridges.
Bug Bounty
Receive only relevant bug reports or undergo crowdsourced penetration testing with the help of thousands of ethical hackers curated by HackenProof.
Proof of Reserves
Enhance transparency in crypto exchanges with independent on-chain proof of assets’ true collateralization.
CCSS Audit
Assess and strengthen your security practices, identify vulnerabilities, and safeguard valuable digital assets in the ever-evolving cryptocurrency landscape.
Tokenomics Audit & Design
Ensure your token model robustness and efficiency and convey trust to investors and community with our thorough, independent audit of protocol economic security.
Solutions
Post-deployment security solution
Hacken Extractor
Real-time smart contract protection from assets loss
Learn more
Solutions
Featured ecosystems:
Ethereum (EVM)
BSC
Polygon
Near
Avalanche
Fantom
Aptos
Sui
Optimism
zkSync
Arbitrum
Solana
Polkadot
Cosmos
Radix
Linea
MetaMask
Others
By Languages:
Solidity
Rust
Move
Blog
Company
Company

The window to exchange $HAI for Hacken Equity Shares ($HES) is now open > Claim your spot today

The Stake.com Hack Explained: Unpacking the $41M Crypto Breach

The Stake.com Hack Explained: Unpacking the $41M Crypto Breach

Share via:

TL;DR
Date of Hack: September 4th, 2023
Entities Involved: Stake.com, potential North Korea-affiliated hackers.
Amount Lost: $41M
Key Vulnerability: Suspected compromise of Stake’s hot wallet private keys.

On September 4th, the online crypto casino Stake.com faced a substantial security breach, resulting in a staggering loss of around $41M from its hot wallets. This incident, while unfortunate, provides valuable insights into the intricacies of blockchain security and the ever-evolving tactics of crypto hackers.

Initial Indicators

This hack’s swift and strategic nature suggests a potential compromise of Stake’s hot wallet private keys. However, as of this writing, there hasn’t been an official confirmation from Stake.com’s team regarding this.

Sequence of Attacks

Ethereum Network Breach

Within moments, a massive $15.7M was siphoned off from the Ethereum Network. The crypto assets targeted included:

6001 $ETH
3.9M $USDT
1.1 $USDC
900K $DAI

These were quickly funneled to hacker-controlled address 0x3130662aece32f05753d00a7b95c0444150bcd3c, which subsequently distributed them to various Externally Owned Accounts (EOAs).

Binance Smart Chain & Polygon Networks Breach

Roughly an hour later, the attacker struck again, this time targeting both the Binance Smart Chain and the Polygon Networks. A total of $25.2M in assets were drained:

From BSC:

12k $BNB
7.35M $BSC-USD

And others including 1.8M USDC, 2100 $ETH, 1.3M $BUSD, 83.9B $SHIB, 40K $LINK, and 300K $MATIC. All the assets were immediately sent to this address 0x4464e91002c63a623a8a218bd5dd1f041b61ec04 and distributed to different EOAs.

From Polygon:

70K $DAI
4.22M $USDT
1.78M $USDC
3.25M $MATIC

The assets were sent to this address 0xfe3f568d58919b14aff72bd3f14e6f55bec6c4e0 and distributed between multiple accounts.

Stake’s Response

Shockingly, it took five hours after the initial attack for the Stake.com team to acknowledge the breach publicly, assuring users that their funds remained secure. Interestingly, a mere few hours prior, users were notified of a system maintenance.

The Aftermath

Two days after the attack, the attacker commenced laundering the stolen assets, predominantly by bridging them from Polygon to Avalanche, eventually converting a substantial portion of MATIC to BTC. To date, 72 BTC have been laundered, with the remaining assets still seemingly in the attacker’s possession.

A Potential North Korean Connection?

Recent information from the FBI points towards a more sinister plot. The attack signatures and the addresses involved seem eerily similar to those seen in other significant 2023 hacks, including those of Alphapo, CoinsPaid, and Atomic Wallet. These hacks collectively resulted in losses surpassing $200M. Preliminary investigations suggest that North Korean hackers might be the culprits behind this series of high-profile breaches.

Follow @hackenclub on ? (Twitter)

Conclusion

The Stake.com hack serves as a stark reminder of the evolving threats in the crypto domain. Continuous vigilance, robust security measures, and proactive incident response mechanisms are paramount in ensuring the safety of digital assets.