Introduction
Table of Contents
Date of Hack: September 4th, 2023
Entities Involved: Stake.com, Potential North Korea-affiliated Hackers
Amount Lost: $41 Million
Key Vulnerability: Suspected Compromise of Stake’s Hot Wallet Private Keys
The following report provides an in-depth analysis of the security breach that occurred on September 4, 2023, involving Stake.com.
This report will explore the sequence of events, vulnerabilities exploited, Stake’s response, and potential connections to North Korean hackers.
Initial Indicators
The hack’s speed and precision suggest that Stake.com’s hot wallet private keys may have been compromised, but its co-founder Edward Craven says the breach was not due to hackers gaining control of its private keys.
The Stake exploit on multiple chains resulted in a $41M loss. The root cause was the compromise of private keys. The attackers were able to gain access to Stake’s hot wallets.
The attackers then called the transfer() function to drain 9,620 ETH on the Ethereum Mainnet, 14.24 million MATIC on the Polygon Network, and 82,650 BNB on the BNB Chain.
Sequence of Attacks
Ethereum Network:
The attacker swiftly drained $15.7 million from the stake’s hot wallets on the Ethereum Address. The stolen assets included:
- 6,001 ETH
- 3.9 million USDT
- 1.1 million USDC
- 900,000 DAI
These assets were quickly transferred to a hacker-controlled address (0x3130662aece32f05753d00a7b95c0444150bcd3c) and distributed to various accounts.
Binance Smart Chain & Polygon Networks Breach
Approximately an hour later, the attacker targeted stake’s wallets on both the Binance Smart Chain (BSC) and the Polygon Networks, stealing $25.2 million in assets:
From BSC:
- 12,000 BNB
- 7.35 million BSC-USD
Additional assets, including 1.8 million USDC, 2,100 ETH, 1.3 million BUSD, 83.9 billion SHIB, 40,000 LINK, and 300,000 MATIC, were also taken.
These assets were sent to address 0x4464e91002c63a623a8a218bd5dd1f041b61ec04 and distributed among various accounts.
From Polygon:
- 70,000 DAI
- 4.22 million USDT
- 1.78 million USDC
- 3.25 million MATIC
The attacker transferred these assets to address 0xfe3f568d58919b14aff72bd3f14e6f55bec6c4e0 and distributed them among multiple accounts on the Polygon Network.
Stake’s Response
Stake.com’s response to the breach was delayed, taking five hours to acknowledge the attack publicly. Users were also notified of system maintenance shortly before the hack, raising questions about the timing and preparedness of the attacker.
The Aftermath
Two days after the initial attack, the attacker began laundering the stolen assets, primarily by bridging them from Polygon to Avalanche. A significant portion of MATIC was converted to BTC. To date, 72 BTC has been laundered, while the rest of the stolen assets remain with the attacker.
A Potential North Korean Connection?
Recent information from the FBI has raised suspicions of a more significant plot. The attack signatures and addresses used in this hack closely resemble those seen in other notable 2023 hacks, including Alphapo, CoinsPaid, and Atomic Wallet, resulting in combined losses of over $200 million.
Preliminary investigations suggest a potential link to North Korean hackers, indicating possible state-sponsored cybercriminal activity.
Conclusion
The Stake.com hack highlights the ever-evolving threats within the cryptocurrency domain. Continuous security audits, vigilance, robust security measures, and swift incident response mechanisms are essential to safeguard digital assets.
As investigations continue, stakeholders must collaborate closely with law enforcement agencies to mitigate future threats and recover stolen funds.