Stake.com’s $41M hack: Implications and lessons in crypto security

Stake.com’s $41M hack: Implications and lessons in crypto security

By Benson Toti - min read
  • Stake.com was recently hacked for $41 million. What happened during the incident?
  • How did the crypto casino giant respond to the attack?
  • The implications and lessons for crypto.

The security breach that saw online crypto casino Stake.com lose $41 million to hackers on September 4 is among the most notable attacks to hit the cryptocurrency industry this year. Since the incident, blockchain security analysts and law enforcement have linked the “suspicious outflows,” to a sovereign state actor – North Korea’s Lazarus Group.

On September 7, the  Federal Bureau of Investigation (FBI) released a report that identified the Lazarus Group as the hacker responsible for the theft. The FBI also pinned several other crypto hacks to the group, including the attacks on Alphapo, CoinsPaid, and Atomic Wallet. The group is reportedly responsible for attacks that have seen more than $200 million in crypto stolen in 2023 alone.

Understanding what happened

Blockchain data revealed that the Stake.com hack started with a transaction on Ethereum, with hackers transferring roughly $3.9 million of the stablecoin Tether (USDT). 

The attackers then   withdrew 6,001 Ether (ETH), worth about $9.8 million at the current market price. Also withdrawn was approximately $1 million in USD Coin (USDC), $900,000 worth of Dai (DAI), and 333 Stake.com Classic (STAKE) tokens, each valued at $75.48.

While initial reports indicated stolen crypto funds amounted to $16 million, that rose to $41 million.

On September 7, the platform disclosed that the hacker had begun cross-chain transactions by transferring funds to the BTC blockchain through new wallets on Polygon and Avalanche. As of September 8, $4.5 million has been moved to BTC addresses. Meanwhile, the majority of the stolen funds, approximately $36 million, remain on the Ethereum, Polygon, and BNB Chain networks.

Stake.com assured its customers that user funds were safe and that only a small percentage of the online casino’s total funds had been affected. But amidst the incident, many fake accounts on X (formerly Twitter) cropped, with fake updates that tried to trick people into clicking on phishing links for refunds.

Understanding hot wallets and cold wallets

Crypto wallets are essential for storing and managing cryptocurrency assets. They come in two main types: hot wallets and cold wallets. Both types of wallets have their own advantages and disadvantages. The right type of wallet depends on how much crypto an individual holds, their security preferences, and how accessible they want their funds to be.

Hot crypto wallets are always connected to the internet, with examples being exchange wallets. They are typically free and allow users to store, send, receive, manage, and view their cryptocurrency assets. Access is via any internet-enabled device, including phones, tablets, and PCs. It is why hot wallets are preferred for easy access and trading.

But while hot wallets offer convenience and quick transactions, they are less secure when it comes to storing high-value assets. The risk of hacking is higher compared to cold wallets.

As cold wallets store assets offline, with access via hardware devices, the threat of being hacked is significantly lower. Use of cold wallets has increased, especially after the collapse of FTX, and hacks on several other centralised crypto exchanges.

Looking over the security aspects

Wallets work with public and private keys, which are the cryptographically generated strings of letters and numbers that authorise crypto transactions.In traditional banking terminology, the public key is like a user’s account name while the private keys are like the password needed to access the account. Without it, you cannot access the stored cryptocurrencies.

Adding a layer of security is key to use of hot wallets, and this can be achieved in various ways, including splitting wallet keys and storing them in different places. Other controls like limits to  fund transfers, frequency, and eligible receiving addresses could be helpful. Such measures helped limit the Stake.com hacker to its bankroll pool and ETH/BSC.

Stake.com’s response to the hack

According to Ed Craven, co-founder of Stake.com, the platform has a small percentage of its crypto reserves in a hot wallet. However, he noted in an interview with DL News that the breach was not because of the hackers acquiring Stake.com’s hot wallet private keys.

Craven also noted in a blog post on Medium, that the company’s team acted swiftly following the hack, halting all withdrawals and deposits to prevent further theft.

This was done within 20 minutes, with malicious components disabled and necessary containment measures put in place within 4 hours. As a result, the attack impacted only a small portion of Stake.com’s reserve funds meant for large winnings. Stake.com also quickly resumed its operations and began crediting customers who sent funds during the exploit. 

Meanwhile, the company is working with law enforcement and cybersecurity experts as they look to unmask and apprehend the hackers.

Stake, which supports 18 cryptocurrencies as a payment method, also noted that the two games impacted by the security breach will remain disabled throughout the investigation. 

Lessons for the crypto industry

The recent security breach at Stake.com has sounded alarms about the robustness of online crypto platform securities. Major security compromises in history, such as Sony’s 2011 PSN intrusion and the 2017 Equifax data exposure, have served as crucial learning points in their sectors. 

Likewise, the Stake.com incident highlights the imperative for bolstered defence mechanisms in the rapidly evolving crypto space. Such vulnerabilities, if left unaddressed, could not only impact immediate financial holdings but also erode long-standing reputations.

Given the jeopardy faced by Stake.com’s financial reserves, there’s unease concerning the reliability of cryptocurrency in everyday practical business application. This loss in consumer and business confidence could translate to potential delays or reductions in disbursements, an adverse outcome for creators, especially those recently migrating to Kick in search of a more lucrative platform. Yet, if Stake.com can adeptly navigate through this turbulence and curtail the repercussions, its overarching fiscal health may remain intact.

This breach has prompted industry specialists to reexamine the inherent risks of amalgamating cryptocurrency functionalities with platforms akin to Kick. The incident serves as a clarion call for companies pondering similar integrations.

To fortify defences, platforms should advocate for encrypted transactions, unwavering data protection, uphold fairness through Random Number Generator (RNG) protocols, and emphasise layered account safeguards. Furthermore, it’s paramount to offer secure transactional methods, sustain vigilant surveillance, and ensure dedicated customer engagement.

For casinos aiming for sustainability and adaptability amidst sophisticated threats, incorporating AI-centric fraud detection becomes pivotal. Regular security evaluations and pertinent certifications solidify a commitment to preserving a trustworthy environment for its user base while upholding the platform’s esteemed reputation.

The resilience of Stake.com’s operations

Stake.com, founded in 2017 and is headquartered in Curacao, is one of the leading crypto casinos in the world. The platform generated around $2.6 billion in revenue in 2022 and recent reports revealed that the gambling platform recorded over 900M bets in August.

Beyond its primary casino functionalities, Stake.com has forged strong ties with Kick Streaming, a platform celebrated for sponsoring renowned streamers, including Adin Ross, Amouranth, and XQC. Notably, the platform also boasts a partnership with Drake as a prominent ambassador, further elevating its prominence in the industry.

The hacking incident underscores the importance of ongoing security enhancements, heightened vigilance, and user education to safeguard both experienced and novice crypto gamblers.

Before the recent hack, Stake.com had taken various security measures to protect user data and funds. The platform required complex passwords and implemented two-factor authentication (2FA) to add an extra layer of security to user accounts. These measures are designed to make it difficult for unauthorised individuals to access user accounts.

The company also performed regular security audits to identify and fix potential vulnerabilities. This is an attempt to stay ahead of cybercriminals. It also used encryption technologies to protect user data and financial transactions.

In addition, the platform also provided guidance to users, warning them against playing high-risk games that could expose them to hacks. Safe gambling, also known as responsible gambling, is highly encouraged.

To gamble safely, Stake.com advises players to balance gambling with other recreational activities, set a spending plan and time limit, bet with affordable funds, take breaks, and grasp the odds and associated risks. The company also reminds players not to let losses overly upset or anger them during gambling sessions.

However, it is essential to note that no security measure is perfect. The Stake.com hack demonstrates that even well-established and well-funded crypto casinos can be vulnerable to attack. The company promises to continue investing in cyber security to adapt quickly to emerging threats.

Conclusion

Stake.com has shown greater resilience in the wake of the security breach, taking significant steps to enhance security and protect user data and funds. However, the incident highlights that even well-established crypto platforms are not immune to such attacks. 

The critical role of hot wallets in another take from the incident, with Stake.com’s strategic use of secure hot wallets enabling a swift recovery and the protection of user funds. Yet, as the industry continues to mature, hacks highlight the fact that crypto casinos, including Stake.com, need to prioritise continuous vigilance, robust security measures, and proactive incident response mechanisms to ensure the safety of digital assets.