The cryptocurrency gambling platform Stake.com suffered one of the most significant security breaches of 2023 when attackers drained approximately $41.3 million across multiple blockchains on September 4, 2023. Two days later, on September 6, the United States Federal Bureau of Investigation officially attributed the attack to North Korea’s notorious Lazarus Group, a state-sponsored cybercrime organization that has been responsible for billions of dollars in cryptocurrency thefts over recent years.
The Exploit Mechanics
The attack on Stake.com was meticulously orchestrated and executed across three separate blockchain networks simultaneously. The hackers exploited what Stake.com co-founder Edward Craven described as a “sophisticated vulnerability” in the platform’s transaction authorization systems. Crucially, Craven confirmed that the platform’s private keys were not directly compromised, suggesting the attackers found an alternative path into the authorization workflow used for on-chain transactions.
The assault began with a series of rapid-fire transactions across Ethereum, Polygon, and BNB Chain. On Ethereum alone, the attackers drained approximately $15.7 million worth of ETH, equivalent to roughly 9,620 ETH at the time. They also extracted $1.1 million in USDC, $3.9 million in USDT, and $900,000 in DAI from Ethereum-based wallets. On the Polygon network, the hackers made off with approximately $7.85 million worth of MATIC, totaling about 14.24 million MATIC tokens. The BNB Chain suffered the largest individual hit, with roughly $17.75 million in BNB tokens stolen, equivalent to approximately 82,650 BNB at the then-current price of around $215.
With Bitcoin trading at approximately $25,753 and Ethereum at $1,632 at the time of the attack, the stolen funds represented a significant haul even by Lazarus Group standards. The attackers moved swiftly to obscure the trail of stolen assets, using SquidRouter to convert MATIC into other currencies like AVAX and USDC, then cross-chaining these to the Avalanche network. Multiple currencies were subsequently converted into BTC via ParaSwap and transferred to the Bitcoin blockchain, making tracing significantly more difficult.
Affected Systems
The breach impacted Stake.com’s hot wallet systems used for processing on-chain transactions across three major blockchain networks. The platform, which operates as a cryptocurrency-based casino and sports betting service, had been processing transactions on Ethereum, Polygon, and BNB Chain as part of its multi-chain strategy. The attack specifically targeted the authorization services that the company used to approve and execute on-chain transactions, rather than the core wallet infrastructure itself.
This distinction is important because it meant that user funds held in cold storage remained safe. However, the hot wallet systems that handled day-to-day transaction processing were severely compromised. The multi-chain nature of the attack also highlighted the growing complexity of securing decentralized applications that operate across multiple blockchain networks simultaneously.
The Mitigation Strategy
In the immediate aftermath of the attack, Stake.com took several steps to secure its remaining infrastructure. The platform temporarily suspended withdrawals and deposits while conducting a thorough security audit of its systems. Co-founder Edward Craven publicly addressed the situation on September 5, reassuring users that the platform’s private keys had not been compromised and that the vulnerability had been identified and addressed.
From a broader industry perspective, the attack underscored the importance of implementing robust multi-signature authorization workflows for high-value hot wallets. The fact that Lazarus Group was able to exploit the transaction authorization system without directly compromising private keys suggests that social engineering or insider access may have played a role in the initial vector. Security experts recommend that platforms handling large volumes of cryptocurrency implement hardware security modules, time-locked withdrawals, and multi-party computation systems to prevent similar attacks.
Lessons Learned
The Stake.com hack provides several critical lessons for the cryptocurrency industry. First, multi-chain operations multiply the attack surface exponentially. Each blockchain integration represents a potential entry point for attackers, and security protocols must be independently verified for each chain. Second, transaction authorization systems require the same level of security scrutiny as private key management. The attackers demonstrated that compromising the authorization layer can be just as devastating as stealing private keys directly.
Third, the rapid attribution by the FBI to Lazarus Group highlights the growing sophistication of government agencies in tracking cryptocurrency-based cybercrime. The FBI’s statement noted that Lazarus Group had stolen over $200 million in 2023 alone, including $60 million from Alphapo and CoinsPaid in July and approximately $100 million from Atomic Wallet in June. This pattern of attacks demonstrates that state-sponsored groups are systematically targeting cryptocurrency platforms.
User Action Required
For users of Stake.com and similar platforms, the attack serves as a reminder to never keep more funds on any single platform than necessary for immediate use. Cold storage solutions, including hardware wallets from manufacturers like Ledger or Trezor, remain the most secure option for long-term cryptocurrency storage. Users should also enable all available security features, including two-factor authentication and withdrawal whitelist restrictions, on any platform they use. The Stake.com incident also reinforces the importance of monitoring on-chain activity and reporting any suspicious transactions immediately to platform support teams.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
private keys werent compromised but tx auth was. that means their signing infrastructure had a flaw. different problem, same result
chain_marine right. signing infra flaw vs key compromise tells you the fix is in the multisig setup, not key storage. stake needed better transaction policy controls
41.3 million across eth polygon and bnb chain simultaneously. lazarus ops are military grade, the coordination across three chains in real time is insane
lazarus doing 3 chains simultaneously with military coordination and nobody in defi security had a real-time alert. on-chain tools are still years behind
Edward Craven saying private keys were not compromised but a transaction authorization vulnerability was exploited. That is a very specific distinction that suggests an inside vector or a deeply researched exploit path.
byung-ho makes a good point. the distinction between key compromise and auth bypass matters because it tells you what to fix
Byung-Ho K. an inside vector on a gambling platform wouldnt surprise anyone. the amount of insider exploitation in offshore crypto casinos is staggering
fbi confirming in 48 hours is fast. usually takes months to attribute. they must have had lazarus wallet fingerprints ready from previous attacks
^ they did. lazarus has been using the same mixer patterns since the ronin bridge hack. on-chain forensics teams had the signatures already
41.3M is a bad week for lazarus. they pulled 625M from ronin alone. stake was probably just practice
Emilia Kowalczyk 625M from ronin and 41M from stake. lazarus treats these like a monthly quota. the scary part is the smaller hacks probably go unreported