Stake.com Hot-Wallet Hack — September 2023
The Australian-licensed crypto-betting platform lost ~$41M to a hot-wallet compromise attributed by the FBI to North Korea's Lazarus Group. Customer balances were unaffected.
Stake.com is an online gambling platform headquartered in Australia and licensed under multiple jurisdictions. It allows deposits in BTC, ETH, USDT and other cryptocurrencies; user balances are tracked off-chain in the platform's internal ledger.
On 4 September 2023, approximately $41M of crypto was transferred from Stake.com's hot wallets on Ethereum, Polygon and BSC to an unauthorised address. The platform publicly disclosed the breach within hours, confirmed it would continue processing user withdrawals, and stated no customer balances would be impacted.
On 6 September 2023 the FBI publicly attributed the attack to North Korea's Lazarus Group, citing on-chain laundering patterns consistent with prior exploits including the Ronin Bridge and Harmony Bridge hacks. The technical vector — likely a compromise of operational signing infrastructure — has not been publicly disclosed in detail.
Timeline
- ~$41M drained from hot wallets across ETH, Polygon, BSC
Single coordinated drain across three chains within minutes.
- Stake.com discloses breach, promises uninterrupted withdrawals
Customer balances unaffected; reserves cover the shortfall.
- FBI attributes attack to Lazarus Group
On-chain laundering patterns match prior Lazarus exploits.
Who was involved
- Lazarus Grouppersonattacker
- Stake.comexchangevictim$41.0M
Legal record
- Attacker Attributed
- Lazarus Group
- Fbi Attribution Date
- 2023-09-06