Unusually large withdrawals were reportedly made from Stake to an account with no previous activity, with funds stolen including Tether and Ether.
Crypto gambling site Stake experienced $41 million in withdrawals on Sept. 4 in what blockchain security analysts have called “suspicious outflows.” The withdrawing account has been labeled “Stake.com Hacker” by Etherscan, implying that the drained funds may be the result of a stolen private key.
The total funds were ~$41.35M.
Stay alert! pic.twitter.com/cKBK3kMeUz
— Beosin Alert (@BeosinAlert) September 4, 2023
Blockchain data shows very large withdrawals from Stake.com contracts into the alleged attacker’s account. The first transaction on Ethereum occurred at 12:48 pm, transferring approximately $3.9 million worth of stablecoin Tether (USDT) from Stake to the attacker’s account.
The next two transactions removed 6,001 Ether (ETH), worth approximately $9.8 million at the current price. The attacker continued to remove tokens over the next few minutes, including approximately $1 million in USD Coin (USDC), $900,000 worth of Dai (DAI) and 333 Stake Classic (STAKE) ($75.48). Cyvers estimated the total value of the crypto drained to be $16 million.
After draining the funds, the alleged attacker distributed them to multiple accounts.
Stake confirmed the hack via social media. “Three hours ago, unauthorised tx’s were made from Stake’s ETH/BSC hot wallets” the team stated. “We are investigating and will get the wallets up as soon as they’re completely re-secured.” The team also claimed that “user funds are safe.” Stake co-founder Ed Craven clarified that “Stake keeps a small portion of its crypto reserves in hot wallets at any given moment for these very reasons,” implying that the losses are a small percentage of the total and will not affect users.
Smart contract auditor Beosin reported that the attack also occurred on other chains, including BNB Smart Chain (BSC) and Polygon. According to Beosin, an additional $7.8 million was lost on Polygon and $17.8 million on BSC, bringing the total losses to more than $41 million.
Stake is a crypto gambling protocol that offers dice games, Blackjack, Lingo and other casino games, as well as sports betting for basketball, tennis, volleyball and others.
This is not the first time in 2023 that crypto gambling sites may have been targeted by hackers. On July 23, payments provider Alphapo suffered $31 million in suspicious withdrawals. Alphapo was a provider for several crypto-gambling sites, including Hypedrop, Bovada and Ignition.
Collect this article as an NFT to preserve this moment in history and show your support for independent journalism in the crypto space.
Update (September 4, 2023, 10:03 p.m. UTC): This article has been updated to include a report from Beosin claiming that $41 million was lost instead of only $16 million.