MistTrack Investigative Series: Unveiling the Web3 ‘Stake’ Hack Across Multiple Chains

SlowMist
3 min readSep 9, 2023

--

Introduction

Welcome to another episode of our MistTrack investigative series, where we explore the complexities and intricacies of stolen funds in the web3 ecosystem. The web3 community was shaken recently when the gambling platform Stake was hacked, resulting in the loss of approximately $40 million in assets. The funds were siphoned off not just from Ethereum, but also from Polygon and Binance Smart Chain networks. The stolen assets were then redistributed to numerous addresses on each network. In this article, we’ll walk you through how we used our MistTrack dashboard to trace the stolen funds across multiple blockchain networks.

Pattern Recognition on Ethereum

Interestingly, the pattern across these Ethereum addresses was consistent; the addresses received funds primarily in DAI tokens. It appears the hackers needed Ethereum (ETH) for gas fees. They sent 1 ETH to the addresses before converting DAI to Ethereum using Uniswap.

Tracing Funds on Binance Smart Chain and Polygon

The situation was similar on the Binance Smart Chain and the Polygon network. While no assets had been moved on BNB at the time of our investigation, assets on Polygon were already on the move.

Funds on Polygon
Funds on BSC

Moving to Other Networks: AVAX Page Insights

Our multi-chain feature revealed the funds were likely bridged to another network. We followed the trail to the Avalanche (AVAX) network, where the assets were converted to Bitcoin (BTC), likely using Paraswap. This modus operandi is strikingly similar to methods employed by Lazarus, a North Korean cybercriminal group notorious for one of the largest hacks in web3 history: the Ronin hack.

Confirmed by the FBI

Even the FBI has identified similarities between the Stake hack and the operations typically run by Lazarus. The latter has been known to frequently convert their funds to the AVAX network before bridging them to the Bitcoin network, taking advantage of the high liquidity currently offered on AVAX.

https://www.fbi.gov/news/press-releases/fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-41-million-from-stakecom

The Limitations and Future Steps

One limitation in the current capabilities of MistTrack and the AVAX explorer is that you cannot directly track the movement of these funds once they bridge over to the Bitcoin network. However, we’ve created an AVAX bridge analysis using Dune Analytics to make this possible. We will continue this investigation next week, diving into how to use our AVAX bridge tool to track funds sent to the Bitcoin network.

Conclusion and What to Look For Next Week

This deep dive into the Stake hack demonstrates how complex and multi-layered web3 criminal activities can be. Tracing assets across multiple networks presents its challenges, but platforms like MistTrack are rising to the occasion. Stay tuned for our next episode, where we will go into detail about how to track transactions that bridge to the Bitcoin network from AVAX.

See you next week!

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.