‍Introduction

In the volatile world of cryptocurrency, security breaches are an unfortunate reality. Recently, the Stake betting platform became a stark reminder of the vulnerabilities even major crypto platforms face due to improper private key management. In this retrospective, we'll delve into the timeline of the Stake hack, shining a light on pivotal moments where Cyvers Vigilens was the first in the industry to detect & how it could have altered the outcome.

‍

The Initial Moves

The attacker's first move involved two concurrent transactions, both of which were recorded in the same block:

1st transaction: https://etherscan.io/tx/0x98610e0a20b5ebb08c40e78b4d2271ae1fbd4fc3b8783b1bb7a5687918fad54e

2nd transaction: https://etherscan.io/tx/0xdddb1d16f97209971ef9256d0b83d5f840eaddbbbbd7a04b5702b4fb7254b857

These transactions signaled the start of a complex theft.‍

‍

The Movement of Tokens

The attacker then launched a series of moves:

1. A USDT transfer occurred around one minute after the initial transactions: USDT Transfer.
2. A USDC transfer followed eight minutes later: USDC Transfer.
3. After fifteen minutes, a DAI transfer took place: DAI Transfer.

Notably, the hacker carried out these transactions with a specific goal in mind: changing the stolen USDT, USDC, and DAI into Ether (ETH) in order to avoid freezing.

‍

The Attack Unleashed

The breach unfolded across Ethereum, Binance Smart Chain (BSC), and Polygon, showcasing the attacker's calculated strategy. Ethereum saw approximately $15.7 million drained, involving ETH, USDT, USDC, and DAI. BSC incurred a loss of roughly $17.8 million, including BNB, BSC-USD, USDC, ETH, BUSD, SHIB, LINK, and MATIC. Polygon faced losses of approximately $7.8 million, including DAI, USDT, USDC, and MATIC.

We could have saved all of the USDC, ETH, DAI, and USDT if Stake had employed Cyvers' monitoring tool Vigilens.

Moreover, it's worth noting that the hacker funded those wallets with 1 ETH to pay the gas fee for the swap.These transactions to externally owned accounts were a part of the hacker's meticulously planned strategy.

‍

The Investigation Deepens

A closer look at the attack's trajectory unveiled a disconcerting reality. The stolen funds were converted into Ether (ETH) and transferred to several externally owned accounts (EOAs). On-chain evidence strongly hinted at a compromised private key within Stake's wallets. An unsettling discovery surfaced in the DAI transfer transaction, where "uint was = allowed uint (-1)" leads to be a private key compromise.

‍

Stake's Awakening

In the wake of the attack, 4+ hours after Cyvers' first alert, Stake publicly acknowledged unauthorized transactions from their ETH/BSC hot wallets. They initiated an investigation, promising to re-secure the wallets before resuming normal operations. Crucially, Stake assured its users that their funds remained SAFU.

‍

The Four Addresses Holding Millions

All the stolen funds now sit in four distinct addresses:

• Address 1
• Address 2
• Address 3
• Address 4

‍

FBI Joins the Investigation

On September 6th, the FBI Identified Lazarus Group Cyber Actors as Responsible for the Theft of $41 Million from Stake.com.

‍

Conclusion

The timeline exposes several critical junctures where Cyvers Vigilens could have rewritten the script. As the attacker executed a series of transactions, Vigilens could have detected and reacted in real-time. By proactively identifying the breach and notifying Stake's security team, Cyvers Vigilens might have substantially reduced the scale of the attack, potentially saving millions in losses. This incident underscores the importance of cutting-edge security solutions like Cyvers Vigilens, which has gained recognition and coverage from various crypto news companies like CoinDesk, Investing.com, Cointelegraph, BeInCrypto, Decrypt, Crypto Daily, Bitcoinist, Rekt, and many more.

‍