Stake.com — hot wallet compromise

What happened

On 4 September 2023 Stake.com, a Curaçao-licensed online cryptocurrency casino and sports-betting platform backed by rapper Drake and co-founded by Ed Craven and Bijan Tehrani, experienced the rapid unauthorised drainage of approximately $41 million from its hot wallets across three blockchain networks. Ethereum-based wallets lost $15.7 million, Polygon-based wallets lost $7.8 million, and BNB Smart Chain wallets lost $17.8 million. All transfers took place within approximately one hour in the early hours of the morning UTC time, suggesting a coordinated and pre-planned operation.

Stake.com disclosed the incident publicly within hours via its official Twitter account, confirming that it had detected suspicious transactions and paused operations temporarily. The platform stated that user funds in player accounts were not at risk — the compromised wallets were operational hot wallets, not segregated customer custody — and that all player balances were covered by company reserves. Normal operations resumed within hours. From the user perspective the incident was invisible; there were no withdrawal failures or balance discrepancies reported by players.

On 6 September 2023 — just two days after the theft — the FBI published a formal attribution statement identifying the North Korean Lazarus Group as responsible. The statement, issued by the FBI’s San Diego field office, included a list of on-chain addresses associated with the theft and placed the Stake.com incident in a broader list of DPRK-attributed cryptocurrency thefts that the FBI was tracking, with a cumulative total exceeding $200 million for 2023 alone.

How it worked

The attacker obtained Stake.com’s hot-wallet private keys. The method by which those keys were obtained was not confirmed in Stake.com’s public communications. The most widely discussed hypothesis among security researchers was a compromise of the key-management system or a member of the small team with access to hot-wallet signing keys, consistent with the insider-access or spearphishing patterns that Lazarus Group uses as initial access vectors in its financial-sector operations.

Hot-wallet private key theft is the simplest and most direct attack on an exchange or gambling platform’s operational funds. A hot wallet, by design, holds liquid funds online and ready to disperse — it is what pays player withdrawals and processes operational transactions. The private key controlling a hot wallet confers immediate, irrevocable authority to move those funds. There is no additional authentication layer, no time delay, and no co-signing requirement. Once the key is in the attacker’s possession, the drain operation is a matter of constructing and broadcasting valid signed transactions as quickly as possible.

The multi-chain operation — simultaneous drains across Ethereum, Polygon and BNB Smart Chain — indicates that the attacker had obtained keys for all three chains’ hot wallets and had pre-built the transaction infrastructure to execute all three drains in parallel. This pattern of simultaneous multi-chain drainage has been observed consistently across Lazarus Group operations from KuCoin (2020) through Atomic Wallet (2023) and is consistent with a group that prepares the full operational structure before executing, rather than improvising.

The FBI’s rapid attribution was enabled by the maturity of on-chain forensic analysis applied to DPRK operations at this point. By September 2023 blockchain analytics firms had catalogued laundering patterns from Ronin Network (March 2022), Harmony Horizon (June 2022), Atomic Wallet (June 2023), and numerous smaller operations attributed to Lazarus. The Stake.com funds moved through a recognisable sequence — initial dispersal to intermediate addresses, conversion to ETH, use of a small number of consistent mixer or bridge services — that matched the prior pattern closely enough for the FBI to issue attribution within 48 hours.

Timeline

• 4 September 2023, early hours UTC — Attackers drain $41M from Stake.com hot wallets across Ethereum ($15.7M), BNB Smart Chain ($17.8M) and Polygon ($7.8M) within approximately one hour.
• 4 September 2023 — Stake.com publicly acknowledges the incident. Operations paused briefly then resumed. Player balances confirmed unaffected.
• 6 September 2023 — FBI issues formal attribution to North Korea’s Lazarus Group. Attacker wallet addresses published.
• September–October 2023 — On-chain analysts trace laundering through established Lazarus-consistent bridge and mixer infrastructure.
• November 2023 — US Treasury OFAC sanctions Sinbad.io mixer, used to launder proceeds from Stake.com and other Lazarus operations.
• 2024 — Stake.com incident listed in FBI and CISA advisories as part of the cumulative DPRK crypto theft campaign totalling over $3 billion.

What defenders should learn

The Stake.com incident makes the hot-wallet key custody problem vivid. Forty-one million dollars was moved in an hour because one entity controlled the single secret — the private key — that governed the entire balance. No co-signing, no time-lock, no threshold scheme, no anomaly detection interposed itself between the attacker obtaining the key and completing the drain. Hot wallets are operationally necessary for any platform that needs to process real-time payouts, but the amount held in them should reflect the operational minimum rather than operational convenience. Excess operational reserves should sit in cold storage or multi-signature arrangements that cannot be drained through single-key compromise.

The speed of the FBI’s attribution is instructive for defenders and deterrence alike. Lazarus Group operations have generated enough forensic material — wallet addresses, bridge usage patterns, mixer preferences, timing signatures — that attribution at a 48-hour timescale is now achievable. This represents a qualitative change in the forensic landscape since the 2016 Bitfinex theft, where attribution took six years. The practical implication for defenders is that blocking and tagging attacker addresses happens much faster than it once did, which in turn means the window in which stolen funds can be laundered without crossing a blocked address is narrowing.

Stake.com’s operational resilience — no user impact, rapid resumption, losses absorbed from reserves — deserves examination as a model. The company’s preparation showed in its response: a pre-funded reserve that could cover the hot-wallet balance, a communication strategy that went live within hours, and a technical posture where the hot wallets were segmented from customer custody. Many platforms conflate operational hot-wallet funds with customer custodial funds; Stake.com’s architecture separated them, which is why customers saw no impact even as $41 million left the platform.

The cumulative picture of DPRK cryptocurrency theft operations — Ronin, Harmony, Atomic Wallet, CoinsPaid, CoinEx, Stake.com, DMM Bitcoin — is the most important strategic context for any exchange, protocol, or gambling platform holding significant crypto balances. DPRK operators are systematic, well-resourced, and demonstrably willing to invest months of preparation for a single operation. Treating DPRK threat actor capability as a baseline planning assumption, rather than a tail risk, is now a defensible minimum for any platform managing assets at scale.