On the 4th of September 2023, the popular crypto gambling platform Stake suffered a major security breach due to private key leak resulting in the theft of approximately US $38 million. The preliminary investigation confirms that unauthorized withdrawals were detected from Stake's hot wallets on the Ethereum, Polygon, and Binance Smart Chain networks.
The stolen funds included Ethereum, stablecoins, and native tokens across the three chains, collectively valued around $138 million at the time of transfer. The assets were rapidly moved through various associated addresses and decentralized exchanges in an attempt to obscure the trail.
Stake confirmed the exploit, stating that the hacker managed to drain assets from their hot wallets and that they were investigating the incident. The stolen crypto funds were rapidly shifted between accounts and decentralized exchanges in an apparent effort to launder and cash out the haul.
It needs to be noted that hot wallets are highly vulnerable to hacks because of these reasons:
- Increased Attack Surface - The software applications for hot wallets have more components that could contain vulnerabilities. Bugs can give attackers entry points.
- Centralized Services - Many hot wallets are hosted or tied to centralized exchanges and apps. Compromising these companies' servers can grant access to many wallets.
- Malware Risks - Keyloggers, spyware, and phishing scams target users' devices to steal keys and seeds from hot wallets.
Stake confirmed the breach of its hot wallets, halting activity while it investigated. The company resumed services after re-securing its systems.
More on Stake.com
Stake is an online gambling platform founded in Australia in 2017 that facilitates crypto deposits and betting. The company was started by Australian billionaire businessman Ed Craven and has seen significant growth, with Financial Times reporting that Stake generated gross gaming revenues of $2.6 billion in 2022 alone. By accepting cryptocurrency and appealing to crypto users, Stake has managed to position itself as a major player in the crypto gambling sector in just a few short years since its launch.
Flow of Funds
Merkle Science investigation team observed the similar kind of pattern for all the 3 EVM chains where the funds stolen in multiple currencies from the central wallet of Stake.com were split in multiple associate addresses, swapped into the native tokens specific to the chains, i.e., ETH, BNB and MATIC and then transferred further to newly minted addresses controlled by the exploiter/hacker.
The multiple assets drained and the combined value is mentioned below:
|
Blockchain |
Token Amount |
Token Symbol |
USD Value |
Total Loss |
|
ETH |
900000 |
DAI |
89,985.42 |
|
|
6000 |
ETH |
9,754,740.00 |
||
|
3900000 |
USDT |
3,899,337.00 |
||
|
1100000 |
USDC |
1,099,587.50 |
||
|
14,843,649.92 |
||||
|
BSC |
7,350,000.00 |
BSC USD |
7,345,928.10 |
|
|
1,840,000 |
USDC |
1,839,256.64 |
||
|
2,300 |
ETH |
3,739,409.00 |
||
|
1,300,000 |
BUSD |
1,299,113.40 |
||
|
83,900,000,000.00 |
SHIB |
633,445.00 |
||
|
40,000 |
LINK |
240,400.00 |
||
|
300,000 |
MATIC |
167,248.80 |
||
|
15,264,800.94 |
||||
|
Polygon |
70,000 |
DAI |
69,983.41 |
|
|
4220000 |
USDT |
4,217,932.20 |
||
|
1780000 |
USDC |
1,779,633.32 |
||
|
3250000 |
MATIC |
1,812,229.25 |
||
|
7,879,778.18 |
||||
|
37,988,229.04 |
At the time of drafting this report, there are no further movements of funds recorded.
|
ETH |
|
BSC |
|
Polygon |
|
Our investigators at Merkle Science are keeping a close watch on the movement of funds from the hacker’s associate addresses. Stay tuned for more updates.
Understanding Private Key Leak
A private key leak refers to the unauthorized exposure or disclosure of a user's private cryptographic key. Private keys are crucial for securing and controlling access to crypto wallets, smart contracts, and other digital assets. If a private key is leaked or compromised, it can lead to significant security risks and financial losses for the owner as in the case of Stake.com
Here's how a private key leak takes place:
- Phishing Attacks: Attackers often use phishing emails, fake websites, or malicious software to trick users into revealing their private keys. Unsuspecting users might think they are providing their private key for a legitimate purpose, but in reality, they are handing it over to attackers.
- Malware and Keyloggers: Malicious software installed on a user's device can record keystrokes, including the input of private keys. Keyloggers can send this information to attackers, who can then gain access to the victim's blockchain assets.
- Social Engineering: Attackers may attempt to manipulate or deceive individuals through social engineering techniques. This could involve impersonating trusted entities, such as customer support representatives, and convincing users to disclose their private keys.
- Data Breaches: If a cryptocurrency exchange, wallet provider, or any other service storing private keys experiences a data breach, hackers can gain access to a large number of private keys. This happened in several high-profile cases, resulting in significant losses for users.
- Weak Security Practices: Users who do not adequately protect their private keys, such as using easily guessable passwords or not enabling two-factor authentication (2FA), are more susceptible to private key leaks.
- Insecure Storage: Storing private keys on easily accessible or publicly accessible locations, such as cloud storage without proper encryption, can lead to leaks if the storage service is compromised.
- Insider Threats: Employees or individuals with access to sensitive information within blockchain projects may misuse their privileges to steal private keys or intentionally leak them.
Conclusion
Merkle Science empowers law enforcement and government agencies with Tracker — a precise, user-friendly investigative tool. Tracker is equipped with enhanced attribution, extensive coverage, and advanced autographing capabilities that empower law enforcement agencies (LEAs) to detect, investigate, and prosecute crypto-related crimes with unparalleled precision.
The tool’s capabilities have been extended to cover EVM chains, Tron, and multi-chain analysis, further enhancing its investigative support.Tracker’s ability to analyze smart contracts and DeFi transactions ensures that investigators have the insights they need to do their job more effectively, regardless of the cryptocrime threat vector. In the realm of blockchain forensics and investigation, Tracker provides unparalleled precision and unrivaled insights.