More than $40M in suspicious crypto outflows from Stake raise hack fears
Online gambling site Stake, which allows bets to be placed using crypto, has seen millions worth of ether and USDT transferred out of known wallets.
First reported by Web3 security firm Cyvers, the pattern of transfers includes swaps from USDT, a stablecoin, to ether.
According to Etherscan, the transactions occurred between 8:52 am ET and 10:05 am ET. At 10:08 am ET, the site’s official Telegram posted that “[d]eposits & withdrawals on Ethereum & BSC/ERC20 networks are undergoing temporary maintenance.”
Messages to the site’s published press email were returned as undeliverable, and a spokesperson did not return Blockworks request for comment.
However, at 1:16 pm ET, Stake posted a statement saying they were investigating but that “user funds are safe.”
The transfers were considered suspect in particular due to the swapping of USDT to ether (ETH), which cannot be frozen by Tether.
In addition to the Ethereum transfers, on-chain investigators have tracked $17.8 million on BNB Chain and $7.8 million on the Polygon PoS chain.
MetaMask product manager Taylor Monahan characterized the transfers as “quite methodical,” and speculated that Stake suffered a “systems compromise.”
“[I]nitial transactions were sent via the [S]take systems to addresses the hackers controlled,” she said in the ETHSecurity Community on Telegram.
On-chain evidence indicates that a private key belonging to Stake’s wallets was compromised, which Andrey Lazutkin, chief technology officer at wallet developer Tangem, said is happening with increasing frequency.
“The only solution to this problem is to store a private key in a protected environment, where the user will not have access to it himself, and therefore no third parties (hackers, scammers or scam projects) will have access to it either,” Lazutkin told Blockworks.
Stake, a Curacao-based platform which bills itself as a “leading crypto casino,” lets customers bet on sports and online games using bitcoin (BTC), ether (ETH), and dogecoin (DOGE). The platform, launched in 2017, allows betting in other currencies including the US dollar.
Stake has been the subject of a trademark infringement lawsuit in Australia and a separate $400 million claim against the founders from a former associate.
Updated on Sep. 4, 2023 at 12:58 pm ET with additional context and at 1:20 pm ET with comment from Stake.
Get the day’s top crypto news and insights delivered to your email every evening. Subscribe to Blockworks’ free newsletter now.
Want alpha sent directly to your inbox? Get degen trade ideas, governance updates, token performance, can’t-miss tweets and more from Blockworks Research’s Daily Debrief.
Can’t wait? Get our news the fastest way possible. Join us on Telegram and follow us on Google News.
