TL;DR Date of Hack: September 4th, 2023 Entities Involved: Stake.com, potential North Korea-affiliated hackers. Amount Lost: $41M Key Vulnerability: Suspected compromise of Stakeβs hot wallet private keys.
On September 4th, the online crypto casino Stake.com faced a substantial security breach, resulting in a staggering loss of around $41M from its hot wallets. This incident, while unfortunate, provides valuable insights into the intricacies of blockchain security and the ever-evolving tactics of crypto hackers.
Initial Indicators
This hackβs swift and strategic nature suggests a potential compromise of Stakeβs hot wallet private keys. However, as of this writing, there hasnβt been an official confirmation from Stake.comβs team regarding this.
Sequence of Attacks
Ethereum Network Breach
Within moments, a massive $15.7M was siphoned off from the Ethereum Network. The crypto assets targeted included:
6001 $ETH
3.9M $USDT
1.1 $USDC
900K $DAI
These were quickly funneled to hacker-controlled address 0x3130662aece32f05753d00a7b95c0444150bcd3c, which subsequently distributed them to various Externally Owned Accounts (EOAs).
Binance Smart Chain & Polygon Networks Breach
Roughly an hour later, the attacker struck again, this time targeting both the Binance Smart Chain and the Polygon Networks. A total of $25.2M in assets were drained:
From BSC:
12k $BNB
7.35M $BSC-USD
And others including 1.8M USDC, 2100 $ETH, 1.3M $BUSD, 83.9B $SHIB, 40K $LINK, and 300K $MATIC. All the assets were immediately sent to this address 0x4464e91002c63a623a8a218bd5dd1f041b61ec04 and distributed to different EOAs.
From Polygon:
70K $DAI
4.22M $USDT
1.78M $USDC
3.25M $MATIC
The assets were sent to this address 0xfe3f568d58919b14aff72bd3f14e6f55bec6c4e0 and distributed between multiple accounts.
Stakeβs Response
Shockingly, it took five hours after the initial attack for the Stake.com team to acknowledge the breach publicly, assuring users that their funds remained secure. Interestingly, a mere few hours prior, users were notified of a system maintenance.
The Aftermath
Two days after the attack, the attacker commenced laundering the stolen assets, predominantly by bridging them from Polygon to Avalanche, eventually converting a substantial portion of MATIC to BTC. To date, 72 BTC have been laundered, with the remaining assets still seemingly in the attackerβs possession.
A Potential North Korean Connection?
Recent information from the FBI points towards a more sinister plot. The attack signatures and the addresses involved seem eerily similar to those seen in other significant 2023 hacks, including those of Alphapo, CoinsPaid, and Atomic Wallet. These hacks collectively resulted in losses surpassing $200M. Preliminary investigations suggest that North Korean hackers might be the culprits behind this series of high-profile breaches.
The Stake.com hack serves as a stark reminder of the evolving threats in the crypto domain. Continuous vigilance, robust security measures, and proactive incident response mechanisms are paramount in ensuring the safety of digital assets.
The blockchain industry has been grappling with scalability issues, which have hindered widespread adoption due to its technical constraints. As the demand for blockchain, decentralized applications (dApps), and transactions increases, the limitations of existing networks become increasingly apparent. High transaction fees and network congestion have plagued platforms like Ethereum, hampering their ability to support large-scale
The experimental semi-fungible token standard, ERC-404, combines elements from ERC-20 and ERC-721 tokens. Despite rising popularity, it has yet to secure an official Ethereum Improvement Proposal (EIP) designation. However, its unique attributes, such as enabling fractional ownership of NFTs and enhancing liquidity, coupled with the potential for automated NFT minting and burning processes, suggest a
Decentralized applications (dApps) are software that run on a decentralized network, often using blockchain technology. These applications can serve various purposes for end users, such as brokers, art collectors, traders, investors, and documents of public trust. However, their functionality and value attract malicious groups aiming to exploit vulnerabilities for financial gain. This article explores real-world examples of dApp security breaches, their attack vectors, and the lessons learned.