The hackers behind the $41 million heist at the crypto casino Stake have reportedly transferred $328,000 in Polygon (MATIC) and Binance coin (BNB) tokens.
According to blockchain security firm CertiK, the latest transaction saw the transfer of 300 BNB tokens, valued at approximately $61,500, to an external address identified as “0x695…”, which were subsequently bridged to the Avalanche blockchain on Sept. 11 at 4:09 pm UTC.
Earlier the same day, an additional 520,000 MATIC tokens, with a market value exceeding $266,000 were relocated to the Avalanche network.
This recent transfer of assets, amounting to $328,000, adds to the previously moved $4.5 million, which was transferred to the Bitcoin blockchain as BTC on Sept. 7, as noted by blockchain security firm Arkham.
Despite these substantial movements, the total amount transferred thus far constitutes only 1.2% of the entire $41 million that was stolen.
Sources indicate that the hacker managed to access the private keys of Stake’s hot wallets on both the Binance Smart Chain and Ethereum networks, facilitating the Sept. 4 breach.
In light of the recent events, Edward Craven, the co-founder of crypto casino Stake, has clarified that the security breach did not compromise user information or private customer details.
Furthermore, he confirmed that the hackers did not gain access to user funds or account balances on the platform, ensuring the safety of their clientele’s assets and personal data.
Suspected involvement of the Lazarus Group in Stake heist
The US Federal Bureau of Investigation suspects the involvement of the Lazarus Group, also known as APT38, in this exploit. This group, believed to be financed by the North Korean government, has allegedly been responsible for pilfering over $1 billion in virtual currencies since 2022.
Authorities have linked the Lazarus Group to several other major cryptocurrency thefts, including a $100 million breach at Atomic Wallet, a similar amount at Harmony’s Horizon bridge, and a staggering $600 million from Sky Mavis’ Ronin bridge, marking one of the largest breaches in the cryptocurrency sector to date.
Furthermore, the group is accused of stealing $97 million from cryptocurrency payment processors Alphapo and CoinsPaid.
In a related development, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on the privacy tool Tornado Cash in August 2022, citing suspected connections with the Lazarus Group.
The OFAC alleges that the group used Tornado Cash to launder numerous ill-gotten gains, running into hundreds of millions.