Unregulated cryptocasino Stake.com has become the latest victim of cyber attacks. Digital security companies and cyber investigators estimate the losses from the attack on Sep. 4 at over $41 million. Stake confirmed the attack on X (formerly Twitter) but has not released updates.
According to Beosin Alert, the breach involved three types of crypto blockchains totaling approximately $41.35 million:
- $17.8 million on Binance Smart Chain (BSC)
- $15.7 million on Ethereum blockchain (ETH)
- $7.8 million on the Polygon blockchain
Beosin Alert is a malicious website checker by blockchain security company Beosin.
Stake temporarily suspended withdrawals using the affected cryptocurrencies. It said other cryptocurrency wallets like Bitcoin and Litecoin were not affected. About four hours after confirming the attack, Stake tweeted that all services had resumed as usual.
Throughout the ordeal, the company has insisted that users’ funds are safe. The operator added that the funds were stolen from company hot wallets, not users’ funds. Hot wallets are always connected to the cryptocurrency network and the internet. They’re used to send and receive cryptocurrency. Because they’re always connected, hot wallets are more vulnerable to attacks.
Stake holds a gambling license from Curaçao, a rubber-stamp jurisdiction that provides minimal oversight. The country is in the process of attempting to reform its licensing regime to provide greater accountability. For the moment, however, if any players were to be affected by such an attack, they would have no recourse.
Stake also operates Stake.US, a free sweepstakes casino for American players who are not accepted on its cryptocasino. Its founders are behind Kick, a streaming platform that emerged as a more permissive alternative to Twitch for streamers promoting unregulated gambling and other adult content.
Fraudulent Transactions Were Quickly Identified
The attack came to light after a tweet by CyversAlerts, a monitoring account for the digital security company Cyvers. CyversAlerts detected suspicious transactions worth about $15.7 million. Etherscan, an analytics platform for the Ethereum blockchain, has since tagged the receiving wallet as “Stake.com Hacker.”
The first transaction for 1 ETH occurred around 12:48 p.m. on Sep. 4. With the same time stamp, there was another transaction for 6,000 ETH ($9.8 million). Those were followed a minute later by a transaction for 3,900 Tether coins ($3.9 million). About five minutes later, the cyber criminal distributed the funds to other wallets.
Following the CyberAlerts tweet about three hours after the first transaction, other cyber security companies and cyber detectives like user Zach XBT later confirmed the other BSC and Polygon transactions.
Crypto Cyber Attacks Result In Billions of Losses Annually
The decentralized nature of cryptocurrency makes it a prime target for hackers. According to blockchain analytics company TRM Labs, cybercriminals stole over $3.7 billion last year. That was a significant jump from 2021 when the total was around $2.5 billion. In 2022 alone, there were ten attacks resulting in the loss of $100 million or more. The top three were:
- Ronin Bridge – $620 million
- Wormhole Bridge -$326 million
- Nomad Bridge – $190 million
One encouraging sign is that reports show fewer attacks so far in 2023 than over the same period in 2022. Beosin estimates that in the first half of the year, there was $471 million lost from hack attacks. Meanwhile, TRM Labs estimates over $400 million lost in Q1 alone.
TRM’s reports show about 40 attacks in Q1, marking a 70% decrease from Q1 2022. Meanwhile, Beosin reports 108 attacks for the year’s first half. It’s unclear if more attacks occurred in Q1 than in Q2. However, both reports show a significant decline from 2022 and a higher recovery rate.
According to TRM Labs, one reason for the decline could be the arrest and SEC charge of Mango Markets attacker Avraham Eisenberg. In January, the SEC charged him even as he agreed to return the money for a bounty (as has become customary). His arrest may have deterred some other attackers.
However, TRM Labs concludes that it’s more likely that the lower number of attacks is just a temporary anomaly.
Mixed Success in Recovering Stolen Funds
Quickly identifying the fraudulent transactions could help Stake recover some of the money. With improving technology, blockchain analytic companies have many ways to identify wallet owners and track transactions. There has been more success in recovering lost money in recent cyber attacks.
One such case is the crypto exchange Curve Finance, which lost over $73 million on July 30. Curve recovered over 70% of the funds and has pledged to return them to its customers. The company even offered a 10% bounty on the remaining missing funds.
Another company, Euler Finance, the victim of the biggest attack this year, also saw success. The company announced that after negotiation, the attacker returned all of the stolen $197 million.
While there’s been more recovery success recently, Stake might regain the majority of funds lost. According to Beosin, companies recovered about 45.5% of lost funds in the first half of 2023. Aside from the success of Euler and Curve, most of the significant attack victims in 2023 have not recovered any of their losses.
Crypto Casinos Lack US Security Features
Incremental improvements in crypto security and Curaçao’s attempted regulatory overhaul notwithstanding, Bonus strongly recommends against using offshore gambling sites.
Cryptocasinos like Stake are not licensed and regulated in the US and don’t have to follow US web privacy and security laws. That alone is a significant reason not to play at an offshore casino.
Crypto casino users’ information is not protected. Nothing stops an operator like Stake from selling that. Also, no US agency monitors its safety features. Moreover, cryptocurrency usage negatively impacts these operators’ security, as it’s more prone to attacks.
Meanwhile, legal online casinos undergo a vigorous process before obtaining a license. Once they receive a license, each state’s regulatory agency monitors the operator’s activities and security. Legal operators implement security features like two-factor authentication in some states to protect users’ information.
Legal operators are not immune from hackers either, as demonstrated by the attacks on DraftKings and BetMGM last year. However, US regulators require gambling operators to show they hold user funds in separate accounts. That provides a greater level of assurance in the case of an attack than the operator’s word alone. Moreover, the regulators are set up to receive and act on customer complaints, unlike Curaçao and similar offshore jurisdictions like Costa Rica.