Crypto Casino Stake Opens Withdrawals After Reported $40M Exploit
On September 4th, at 9:28 pm UTC, the crypto betting platform Stake resumed its deposit and withdrawal services only five hours after a reported $40 million exploit.
The incident began with multiple unusual transactions on Monday morning Eastern Time, with approximately $16 million in Ethereum, Tether, USD Coin, and DAI leaving the platform, as Web3 security firm Cyvers noted.
The attacker initiated the first transaction at 12:48 pm UTC, transferring around $3.9 million worth of Tether from Stake to their account.
Subsequently, two more transactions moved over 6,000 Ether, equivalent to approximately $9.8 million at current prices.
Over the following minutes, the attacker continued to drain tokens, including about $1 million in USD Coin, $900,000 worth of Dai, and 333 Stake Classic (STAKE) tokens, totaling $75. This accounted for the initial $15.7 million loss on the Ethereum network.
An additional $25 million was siphoned off of Binance Smart Chain and Polygon, according to blockchain investigator ZachXBT.
Blockchain security firm Beosin estimated the total loss at $41.35 million, encompassing $15.7 million on Ethereum, $7.8 million on Polygon, and another $17.8 million from Binance Smart Chain.
Peckshield, another blockchain security firm, raised suspicions about the transfers if the platform was not undergoing maintenance.
Stake Confirms Unauthorized Wallet Transfers, Assures User Funds' Security
Stake.com later confirmed that the wallet transfers were "unauthorized," signifying a breach of the company's wallet security. The company assured users that their funds remained safe and that it is investigated the incident.
Stake's billionaire founder, Ed Craven, tweeted, “Stake keeps a small portion of its crypto reserves in hot wallets at any given moment for these very reasons.” He added that all affected wallets would soon be operational.
After confirming unauthorized transactions, Stake resumed its services except for Bitcoin, Litecoin, and XRP wallets. The company has not disclosed the cause of the exploit or the exact amount stolen, but it reiterated the security of user funds.
Cyvers identified an address on Twitter that received the stolen crypto. The stablecoins withdrawn from Stake were converted into Ethereum, the second-largest digital asset.
MetaMask Lead Product Manager and security expert Taylor Monahan highlighted on Twitter that the Stake hackers seemed methodical, sharing a visual representation of the wallet transfers conducted by the suspected hackers.
Despite the breach, the targeted Stake wallet still holds $340,000 worth of ETH and $2.1 million in various altcoins, according to Etherscan data.
Withdrawals from the wallet appear to have been temporarily paused, a claim echoed by several users on Twitter.
According to the Financial Times, Stake, an Australian casino and sportsbook that accepts cryptocurrency deposits, generated $2.6 billion in revenue in 2022.
The platform boasts celebrity endorsements, including Drake, who reportedly signed a $100 million annual endorsement deal with Stake in 2022.