This article is more than nine months old

Stake co-founder says wallet keys ‘not compromised’ in crypto casino’s $41m hack

Stake co-founder says wallet keys ‘not compromised’ in crypto casino’s $41m hack
DeFi confirmed it was hacked for about $41 million. Credit: Ryan Browne/Shutterstock
  • Stake co-founder Edward Craven confirmed the hack but said the platform’s private keys were not compromised.
  • The attack involved unauthorised withdrawals from a heavily-trafficked hot wallet belonging to the crypto casino.
  • Craven said the attack was a “sophisticated breach” that targeted a service the company uses to authorise transactions

Crypto’s biggest online casino and sports betting platform Stake was hacked for $41 million on Monday, but its co-founder Edward Craven says the breach was not due to hackers gaining control of its private keys.

Blockchain security experts had previously speculated that Stake’s private keys were compromised.

Private keys are password-like codes that control access to crypto wallets. If a malicious actor gains control of these keys they can use them to access a victim’s wallet and syphon funds.

“Private keys were not compromised but the attacker was able to make several unauthorised transactions from our hot wallets,” Craven told DL News on Tuesday.

Craven said the attack was a “sophisticated breach” that targeted a service the company uses to authorise transactions on the Ethereum, Polygon, and BNB Chain blockchains.

These transactions included $16 million in Ether as well as stablecoins like USDT, USDC, and DAI. This was followed by another $25 million in withdrawals of MATIC and BNB tokens.

Craven told DL News that Stake is “back and running exactly as it was” before the attack.

“The loss of funds is by no means a trivial amount, but this attack has not materially affected Stake’s operations.”

Join the community to get our latest stories and updates

Stake previously confirmed the hack on Monday via a post on X, formerly Twitter, but said that user funds were safe despite the incident.

NOW READ: deadline nears: Billionaire founder sued by ex partner over marketing of world’s biggest crypto casino

“We are investigating and will get the wallets up as soon as they’re completely re-secured,” Stake said.

Stake temporarily halted deposits and withdrawals following the incident but reinstated both functions shortly after.

Some observers say the stolen funds amount to a drop in the bucket for the company. Stake’s revenue last year reached $2.6 billion, more than twice the earnings reported in 2021.

Hot wallet breach

Monday’s hack saw the attackers target hot wallets used by Stake in its daily operations.

Hot wallets are Internet-connected crypto wallets that offer ease of use for transactions. But this flexibility can come at a cost — susceptibility to malicious intrusion due to their exposure to the Internet.

NOW READ: Aerodrome surges on Base as MakerDAO co-founder eyes Solana code

As such, they are not as secure as cold wallets, which are and not connected to the Internet. Cold wallets are, however, not optimal for use cases that require frequent transactions.

The Stake wallet targeted in Monday’s hack handles a lot of transactions — 50,000 a day, according to Craven.

“This was a hot wallet used for customer deposits and withdrawals,” Craven said.

Private key leakage or not

Blockchain security experts had been fairly certain the Stake incident was a hack even before any official confirmation.

However, Craven’s statement that private keys were not compromised is at odds with the analysis provided by several blockchain security experts.

“It’s [a] private key leakage,” Deddy Lavid, CEO of blockchain security firm Cyvers told DL News shortly after his firm detected the hack on Monday. It could be a rug pull or an access control violation, he said.

NOW READ: How North Korea’s Lazarus Group used a fake job offer to steal $37m from CoinsPaid

Apart from a private key leak, hackers can also gain control of wallets using attack vectors like phishing, where the victim is tricked into downloading malicious software onto their computer.

DeFi venture investor and security researcher Arhat Bhagwatka told DL News that compromised private keys was the “most plausible explanation” for the unauthorised withdrawals from Stake’s hot wallet.

“Private keys could have been leaked by other measures as well, such as unauthorised signatures, but this is the only explanation that makes sense.”

No MEV activity

Some security researchers also pointed to the lack of other sophisticated on-chain activities during the incident as proof that it was due to compromised private keys and not a malicious smart contract exploit.

“An exploit of such extent usually happens with frontrunning or sandwich attacks or malicious contracts — all of which were not visible to me in anything I looked at,” Bhagwatka said.

Hackers’ transactions are often frontrun by MEV bots due to the large amounts of tokens transferred during hacks. This was absent in the Stake incident.

Osato Avan-Nomayo is our Nigeria-based DeFi correspondent. He covers DeFi and tech. To share tips or information about stories, please contact him at