0xScope Research: Tracking the Stake.com Hack

Stake.com, a major online betting platform known as the biggest crypto casino in the world, was recently hacked, affecting $41.3M in funds. The online casino, which earned $2.2 billion in revenue last year and was recently endorsed by rapper Drake, was said to have suffered a “private key leak” that affected its wallets on the Ethereum, BNB Chain, and Polygon blockchains. The $41.3M hack is said to be one of the biggest crypto heists this year.

A crypto security firm first sounded the alarm on the exploit, reporting that a certain address received about $16M in ETH, USDC, USDT, and DAI from Stake.com’s hot wallets. The hacked stablecoins were subsequently converted into ETH. Separately, a crypto sleuth shared that another $25.6M was stolen from the casino’s wallets on BNB Chain and Polygon.

Using the wallet tracking feature of Scopescan, we take a closer look at how the stolen Stake.com funds were transferred across multiple addresses. We will also talk about the implications of this hack for the crypto gambling industry and other key areas.

Asset Analysis: Where Did the Hacked Stake.com Assets Go?

At around 13:00 UTC on September 4, a huge amount of crypto assets were transferred from Stake.com’s hot wallet to the exploiter’s newly created addresses. According to Scopescan data, the exploit on Stake.com’s funds included tokens like ETH, BNB, MATIC, DAI, USDC, USDT, and LINK. Below, we see one of those transactions involving MATIC tokens.

Then, the exploiter’s addresses started to exchange the transferred tokens (mostly USDT and USDC) to native coins like BNB, MATIC, and ETH. Here’s a glimpse of the outflow of hacked funds,

The hacker promotly converted the stolen USDT and USDC into ETH through multiple transactions on DEXes like Uniswap. This shows that the Stake.com hacker is likely experienced in exploiting crypto wallets, or at least aware enough to avoid asset freezes on centralized stablecoins.

Based on our analysis, as of 17:00 UTC on September 4, the hacker possessed a total of 9,064 ETH ($14.8M), 79,781 BNB ($17.2M), and 14.1M MATIC ($7.7M).

Around the same time, Stake.com publicly acknowledged that its ETH and BSC hot wallets were exploited, but they did not disclose the cause of the attacks. The crypto casino proceeded to stop deposits and withdrawals on affected wallets, while assuring its users that user funds are safe and that its other wallets remained operational. About four hours after this initial announcement, following further investigation, the company resumed all services.

As of today, the exploiter did not make other transactions after exchanging all the stolen funds for BNB, ETH, and MATIC.

Possible Implications of the Stake.com Hack

Moments after the hack was publicized, some analysts pointed out that a private key leak was the cause of the Stake.com hack. Cyvers, the blockchain security company that first broke the news of the attack, noted that the exploit could be “a rug pull or an access control violation.” Meanwhile, a security researcher observed that the incident did not involve sophisticated on-chain activities, which means that a private key leas was more likely the cause of the attack.

Stake.com refuted claims of a private key breach on its wallets. Co-founder Edward Craven later claimed that the attack was a “sophisticated breach” that targetted a service being used to confirm Ethereum, Polygon, and BNB Chain transactions. The executive also said that the crypto casino’s private keys were not compromised and that the attack did not materially affect company operations. He added that the hacked wallet was indeed a hot wallet that handles 50,000 transactions a day, mostly for customer deposits and withdrawals.

Regardless of the cause, the hack emphasizes the need for better security and blockchain analysis for major crypto gambling sites like Stake.com. Leveraging wallet tracking platforms like Scopescan will help Web3 companies in deeply understanding crypto exploits. With the help of services like Scopescan, companies that experienced hacks will be able to strengthen their security measures, identify the individuals that attack their platforms, and possibly retrieve at least some of the stolen funds, whether through legal action or other deals.

Until then, crypto casinos and their users are encouraged to take necessary security measures to safeguard their assets. Web3 gambling sites will also likely face greater reputational risk, scrutiny, and doubt about fund safety.

Additional Sources: BeInCrypto, CryptoBriefing, BSC News, Bleeping Computer, Coindesk, DLNews

‍