Stake.com, a popular crypto-gambling platform, experienced a suspicious series of withdrawals estimated at approximately $16 million on September 4th, which raised concerns about a potential malicious hack. Reportedly, the alleged attack involved large amounts of Ether and Tether transferred to an account that had no activity before that, raising questions about potential security breaches.
The transactions mentioned above were described as “suspicious” by the security platform Cyvers Alerts. At the same time, Etherscan labeled the account that was beneficient from the transactions “Stake.com Hacker”, with the platform suggesting a potentially stolen private key.
According to blockchain data, a number of significant withdrawals from the platform contract to the account of the alleged hacker.
Reportedly, the first transfer to that account involved was approximately $3.9 million worth of Tether stablecoin. Then, two other transactions moved about $9.8 million worth of Ether. The attacker continued to transfer funds to the previously inactive account, taking Stake classic tokens along with USD Coin and Dai stablecoins. As mentioned above, Cyvers Alerts estimated the overall value of the stolen crypto at a total of $16 million.
After the withdrawals, the funds were distributed by the attacker to several accounts. So far, Stake.com has not released any explanation for the suspicious withdrawals.
Alleged Attacker Used Inactive Account to Drain the Funds, Reports Say
The withdrawals, however, may be worth much more. Popular blockchain enthusiast ZachXBT stated that the attacker had drained about $15.7 million worth of Ethereum, while another $25.6 million had been lost across the Binance Smart Chain and Polygon, which raises the overall worth of crypto funds stolen to no less than $41 million.
Stake.com, on the other hand, has managed to resume services and reopen deposits and withdrawals for its users only five hours after the hack took place.
All services have resumed! Deposits & withdrawals are processing instantly for all currencies. We apologise for any inconvenience. 🙏
— Stake.com (@Stake) September 4, 2023
The cryptocurrency casino, sports betting, and gambling service operator posted on its X (formerly Twitter) account to confirm that all services resumed at 9:28 PM UTC time on September 4th. This was only several hours after the platform confirmed that a number of unauthorized transactions had taken place.
The gambling platform said that its Bitcoin, Litecoin, and XRP wallets were not affected by the attack. Although Stake confirmed that its user funds remain safe, it has not revealed the cause of the exploit or the exact worth of stolen funds.
According to reports, the first transaction took place at 12:48 PM UTC.
Three hours ago, unauthorised tx’s were made from Stake’s ETH/BSC hot wallets.
We are investigating and will get the wallets up as soon as they’re completely re-secured.
User funds are safe.
BTC, LTC, XRP, EOS, TRX + all other wallets remain fully operational.
— Stake.com (@Stake) September 4, 2023
As mentioned above, some blockchain security firms have estimated the overall loss at about $41.35 million, with that amount including $17.8 million from the BNB Smart Chain, $15.17 million on Ethereum, and $7.8 million on Polygon. As explained by ZachXBT, earlier reports estimating the losses did not take into account the $25.6 million that were allegedly lost on Polygon and BNB Smart Chain.
This is not the first time in 2023 when crypto gambling platforms have experienced potential security breaches. In July this year, payments provider Alphapo became subject to suspicious withdrawals worth $31 million. The platform was utilized by a number of crypto-gambling platforms, including Bovada, Hypedrop, and Ignition.
