On September 4, 2023, Stake, an Australian-based online cryptocurrency casino, fell victim to a significant security breach, with an unauthorized withdrawal of an estimated $41 million. The exploit was linked to a “private key leak”, which granted unauthorized access to Stake’s hot wallets on Ethereum and Binance Smart Chain networks. Reporting the exploit to its X community, Stake wrote:
Three hours ago, unauthorised tx’s were made from Stake’s ETH/BSC hot wallets.
— Stake.com (@Stake) September 4, 2023
We are investigating and will get the wallets up as soon as they’re completely re-secured.
User funds are safe.
BTC, LTC, XRP, EOS, TRX + all other wallets remain fully operational.
Cryptocurrency investigator ZachXBT confirmed that $15.7 million was drained on Ethereum and another $25.6 million on Polygon and the Binance Smart Chain. The first unauthorized transaction was detected at 12:48 pm UTC, involving a transfer of $3.9 million in Tether from Stake to an unknown account. This was followed by the removal of over 6,001 Ether, valued at around $9.8 million. Additional cryptocurrencies, such as USD Coin and Dai, were also drained in subsequent transactions.
Beosin, a smart contract auditing firm, reported that the attack extended to other blockchain networks, including BNB Smart Chain and Polygon. According to their analysis, an additional $7.8 million was drained from Polygon and $17.8 million from BSC, bringing the total estimated loss to over $41 million.
After the funds were drained, they were converted to Ether (ETH) and transferred to several externally owned wallets. Stake confirmed the breach via social media and initiated an immediate investigation. Ed Craven, a co-founder of Stake, indicated that the platform maintains only a small portion of its crypto reserves in hot wallets, aiming to minimize the financial impact on both users and the platform.
Interestingly, Stake managed to resume all its services, including deposits and withdrawals, just five hours after detecting the security breach. The platform confirmed that all services resumed at 9:28 pm UTC time on September 4. The company issued an apology for any inconvenience caused and assured that deposits and withdrawals were processing instantly for all currencies.
Stake further clarified that its Bitcoin, Litecoin, and XRP wallets were not impacted by the breach. While the company has not yet disclosed the root cause of the exploit or the exact amount that was stolen, they did confirm that user funds remain safe. The firm confirmed that the targeted wallet still held significant amounts in Ethereum and various altcoins, and withdrawals from the wallet were paused.