Posted on: September 5, 2023, 02:39h.
Last updated on: September 5, 2023, 02:39h.
Stake.com, the cryptocurrency sports betting and casino gaming platform where the rapper Drake routinely drops million-dollar bets, has become the target of a million-dollar heist. It is the latest victim of hackers that resulted in the loss of over $41 million in cryptocurrency.
The attack was initially made public via X (the social media platform formerly known as Twitter) thanks to the digital security company Cyvers Alerts. It revealed that the hack was due to a private key leak, adding that it was able to monitor the hack in real time.
The theft reportedly hit the Kick backer’s holdings only – not user funds. However, Stake.com turned off withdrawals shortly after it became aware of the attack, restoring them a few hours later.
Like Kids in a Candy Store
The account that withdrew the funds has been labeled as “Stake.com Hacker” by Etherscan. The first theft took place just before 1 PM Monday when the hacker(s) transferred approximately $3.9 million of the stablecoin Tether (USDT). Next, two other transactions for 6,001 Ethereum (ETH), approximately $9.8 million, took place.
Three hours ago, unauthorised tx’s were made from Stake’s ETH/BSC hot wallets.
We are investigating and will get the wallets up as soon as they’re completely re-secured.
User funds are safe.
BTC, LTC, XRP, EOS, TRX + all other wallets remain fully operational.
— Stake.com (@Stake) September 4, 2023
The hacker(s) continued to withdraw tokens at will, grabbing $1 million in USD Coin (USDC), $900,000 in Dai (DAI) and 333 Stake Classic – the latter’s value was less than $100. After draining the funds, the hacker(s) distributed them across different accounts.
A report from Beosin, a security firm, estimated the total loss to be $41.3 million, which included $15.7 million on the Ethereum blockchain and $7.8 million on Polygon. Another $17.8 million from the Binance Smart Chain was also lost.
Stake.com resumed services for users about five hours after halting its activity. It said on social media that Bitcoin, Ripple and Litecoin wallets were not affected.
Recovering the Funds
Because several cyber sleuths and security firms identified the transactions immediately, there’s a possibility that Stake.com will be able to recover at least a portion of the stolen funds. However, it may be similar to playing a game of whack-a-mole.
Most cryptocurrencies operate on public blockchains, which means that all transactions are recorded on a decentralized and transparent ledger. While these transactions are pseudonymous, they can still be traced through the use of addresses.
Exchanges and blockchain analysis firms use sophisticated techniques to cluster multiple addresses together, often called “address clustering.” This helps them determine which addresses are controlled by the same entity, accomplished by analyzing transaction patterns, common input ownership, and other heuristics.
Blockchain analytics companies, such as Chainalysis and Elliptic, provide specialized tools and services to trace cryptocurrency transactions. They gather and analyze data from various sources to track the movement of stolen funds. These tools can uncover patterns, commonalities, and potential connections among addresses involved in the hack.
In some cases, hackers may use privacy-centric cryptocurrencies like Monero or employ mixing services to obfuscate the origin of stolen funds. While this makes tracing more challenging, it’s not impossible. Some blockchain analysis tools are adapting to track privacy coins, and law enforcement agencies are increasingly focusing on this area.
Beosin recently reported that $656 million in crypto was lost through various scams, hacks and rug pulls in the first half of the year. This is only 34% of the $1.91 billion reported in the first six months of 2022. It added that 45.5% of the assets had been recovered – only 8% was recovered a year earlier.
Holding onto Hope
There are different ways Stake.com might be able to recover the funds. In addition to increased capabilities that allow wallets to be traced to individuals, it’s possible that the company could try to make a deal.
In 2016, a hack of the crypto exchange Bitfinex resulted in losses of $72 million at the digital currencies’ market value at the time. Earlier this year, it recovered some of the funds following the arrests by the US Department of Homeland Security last year of individuals involved in the theft. Cyber forensics had led investigators to the wallets the criminals used, which were then seized.
Decentralized exchange Curve Finance lost $73.5 million in a hack earlier this year. It later received $52.3 million of it back after making a deal with the hackers. In exchange for dropping all attempts to prosecute, it agreed to pay the thieves a 10% “bug bounty,” a fee some companies offer to pay someone who uncovers a security hole in their systems.