Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 159Private Key Compromise

Stake.com Hot Wallet Heist

Stake.com lost $41M from hot wallets on Ethereum, BSC and Polygon in 90 minutes; the FBI formally attributed the heist to Lazarus and listed 40 addresses.

Date
Victim
Stake.com
Chain(s)
EthereumBNB ChainPolygon
Status
Funds Stolen
Attribution
Lazarus Group / APT38 (DPRK)

On September 4, 2023, the cryptocurrency casino Stake.com suffered a series of unauthorised hot-wallet withdrawals totalling roughly $41.35 million across three chains in a 90-minute window. The FBI publicly attributed the operation to Lazarus Group / APT38 within 72 hours and listed all 40 attacker-controlled addresses in its press release.

What happened

Stake's losses came from hot wallets on Ethereum ($15.7M, largely USDT, ETH, USDC, DAI), BNB Chain ($17.8M), and Polygon (~$7.8M). The first transaction was a $3.9M USDT transfer; the rest followed in a tightly choreographed sweep designed to extract value before withdrawals could be paused.

The exact compromise vector was contested. Stake co-founder Edward Craven stated the attack targeted "a service the company uses to authorise transactions," implying the breach was in a signing-authorisation system rather than direct private-key theft. The FBI's framing leaned toward private-key compromise. The on-chain pattern — same operator on multiple chains, simultaneous coordinated withdrawals — is consistent with either reading.

Aftermath

  • Stake.com paused hot-wallet operations briefly and absorbed the loss from corporate reserves.
  • The FBI publicly named all 40 attacker addresses — an unusually granular attribution that gave compliance teams across the industry a freezing target list within days of the incident.
  • Funds were laundered through cross-chain bridges and mixers, partially combined with proceeds from other Lazarus operations (notably Atomic Wallet and CoinEx around the same period).

Why it matters

Stake.com was the first incident in which the FBI's attribution included specific on-chain addresses rather than just a named threat actor. The combination of operational attribution and on-chain transparency meant that any exchange or DeFi protocol receiving funds from those addresses knew exactly who they were dealing with, in real time — accelerating the standardisation of sanctioned-address screening as a regulated AML control rather than a voluntary best practice.

Sources & on-chain evidence

  1. [01]fbi.govhttps://www.fbi.gov/news/press-releases/fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-41-million-from-stakecom
  2. [02]coindesk.comhttps://www.coindesk.com/policy/2023/09/07/north-koreas-lazarus-hackers-stoke-41-million-from-crypto-gambling-site-fbi-says
  3. [03]trmlabs.comhttps://www.trmlabs.com/resources/blog/fbi-confirms-that-north-korea-was-behind-41-million-stake-com-exploit

Related filings