On September 6, the FBI reported on its investigation into the recent hack of online betting platform and casino Stake.com. The FBI found that the theft was carried out by the Lazarus Group, notorious hackers backed by the North Korean government.
The FBI emphasized that Lazarus Group had been involved in major cryptocurrency heists for several years. The hackers have already stolen over $200 million this year.
So far, Atomic Wallet, which lost over $100 million in June, is one of Lazarus Group's biggest victims of Lazarus Group in 2023. According to the FBI report, the amount mentioned above also includes "approximately $60 million of virtual currency from Alphapo and CoinsPaid on or about July 22, 2023."
The investigation revealed that the Lazarus Group actors used four cryptocurrency addresses to drain the stolen funds on the Ethereum network, five addresses for Binance Smart Chain, two for Polygon, and twenty-two addresses for Bitcoin.
The exploit was discovered on September 4 when several blockchain cybersecurity companies, including CertiK, reported unusual on-chain activity.
"There has been a suspicious outflow of about $15.7 million on ETH with reports of about $25 million on BSC and Poly [Polygon]. Looks to be a private key compromise, however, malicious activity is not confirmed," CertiK wrote that day on X (formerly Twitter).
About two hours after CertiK shared the news with its X followers, Stake confirmed the assumptions, saying that "unauthorized transactions were made from Stake’s ETH /BSC hot wallets." At the time, Stake claimed that users' funds were safe and "BTC, LTC, XRP, EOS, TRX and all other wallets remained fully operational."
Within just four hours, Stake announced that all of its services were back up and running and that "deposits and withdrawals were processing instantly for all currencies," while its co-founder Edward Craven, aka Ed Craven or Stake Eddie, assured casino users that "despite some dramatic headlines, as always Stake has everything under control."
Despite the casino's enthusiasm, some users were concerned about the lack of detailed information about the incident. Although blockchain analytics companies and the FBI itself clearly stated the amount of funds lost, Stake’s team prefers not to mention it in any posts about the exploit. Thus, Craven wrote his reflections on the attack in a Medium post yesterday but decided not to specify the attacker’s loot.
The Stake co-founder summarized the steps the casino team had taken to eliminate the consequences of the exploit, pointing out that there still were two games "impacted by the malicious component" which would remain disabled until the end of the investigation.
Craven assures customers that their personal information "remains secure" because "there is no sign that the attackers accessed or had access to any personally identifiable information of any user."
Still, he warns the community of "a number of fake accounts posting on X offering refunds through malicious phishing links and providing fake updates throughout the event."
"I always would urge fans to follow our official channels and my own handle for live updates," Craven told Stake’s customers, adding that "due to the immediate protective measures we implemented, Stake remains an incredibly safe platform for all players."
According to the 2021 investigation by Sarah Danckert, a journalist at The Sydney Morning Herald, Stake can be considered an Australian online casino, despite "appearing on the surface to be a casino operated by a company set up in the Dutch Caribbean Island of Curacao." As per Danckert, Stake was the largest online casino in the world in 2021, "so large that it took $12 million in bets on the outcome of the last US election alone," while "the Watford FC sponsorship reportedly costs the business $9 million a year."