Hackers steal $290 million in crypto from PlayDapp gaming platform
Hackers are believed to have used a stolen private key to mint and steal over $290 million in PLA tokens, a cryptocurrency used within the PlayDapp ecosystem.
PlayDapp is a blockchain-based platform that uses and trades non-fungible tokens (NFTs) within games, allowing users to buy, sell, and trade digital assets across various games without intermediaries.
On February 9, 2024, an unauthorized wallet minted 200 million PLA tokens, valued at $36.5 million. Blockchain security company PeckShield pointed to the possibility of the attacker using a leaked private key.
PlayDapp immediately informed its community that the PLA token contract had been hacked, warning that they were taking immediate action.
To safeguard PLA assets until the situation was remediated, the platform transferred all (locked and unlocked) PlayDapp-held tokens to a new, secure wallet.
PlayDapp sent on-chain messages to the hacker the following day, offering a $1 million “white hat” reward if they agreed to return the stolen contracts and assets by February 13, 2024.
The company also threatened to notify the FBI and law enforcement authorities and chase the hacker using all available means if they refused to return the assets.
The offer did not convince the hackers, as on February 12, 01:01:47 PM +UTC, they minted a massive 1.59 billion PLA tokens, worth $253.9 million at the time, taking the total tally up to $290.4 million.
This massive loss prompted PlayDapp to request the suspension of all PLA trading on decentralized exchanges and the withdrawal of all PLA tokens from liquidity pools.
Today, the platform announced that it is suspending deposits and withdrawals and freezing the hacker’s wallets on major exchanges to try and mitigate the breach.
PLA token holders are requested to refrain from performing transactions until PlayDapp migrates to a safe system using the current snapshot.
Users are also advised to remain vigilant against phishing and scams, which typically accompany major security breach events like this one.
Cryptocurrency experts at Elliptic reported that despite the coordinated action of PlayDapp and major exchanges to hinder the dispersion of stolen PLA tokens, the money is already moving to various accounts and being laundered.
Also, Elliptic notes that the amount the hackers minted surpasses the total number of PLA tokens in circulation before the breach, so these cannot be sold at their normal market value.
Unfortunately, this drop in value will impact legitimate PLA token holders, with the price of PLA already dropping from $0.18 to $0.14 per token.
Currently, the attack is not attributed to any known threat actors.
The magnitude of the attack bears the hallmark traits of the North Korean hacking collective known as the “Lazarus Group,” which has been previously responsible for executing massive breaches against crypto-gaming platforms and cashing out record amounts.