Stake.com account drained $178K, need help, looks targeted

[coldcoffeebean]

Hi all,

Long-time Stake VIP, first time posting like this. I don't know what to do anymore and I'm hoping someone here has seen this before.

What happened, in order:

May 5: Two random tips landed on my account from accounts I didn't know. $0.14 LTC and $1 USDT. Looked weird but I ignored it. Same day, a $2,500 USDT affiliate leaderboard payout from sangtarr.com hit my vault (this was legitimate, I'd actually placed). Within hours someone withdrew that $2,500 to a Tron wallet that wasn't mine.

May 5 to May 9: Four days of nothing. I kept playing normally. Hit a couple of NBA sportsbook bets for around $38K in winnings during this window.

May 9, 22:40 UTC: The account was drained. Two consecutive Ethereum withdrawals to the same attacker wallet, 24 seconds apart. First $7,028 USDC. Then $178,450 USDT. Both went to the same address. Drain-to-the-last-decimal amount on the USDT. No fresh 2FA prompt between the two withdrawals.

Looking back at it now, the small tips and the early Tron withdrawal feel like signaling and testing. Someone was watching the account, took a small test withdrawal first, waited four days for my balance to grow with the sportsbook wins, then triggered the main drain.

The destination wallet on Ethereum is currently active and laundering funds in a peel-chain pattern, receiving from multiple sources. I think there's more than one of us.

Stake Recovery sent a template denial citing ToS Section 4.16 and told me to update 2FA before they restore access. No engagement with the on-chain evidence, no engagement with the IP session log showing foreign sessions through M247 Quebec Infrastructure, Cloudflare WARP, and Apple Private Relay. My legitimate access is a single NordVPN Vancouver exit, so every other session in the log is foreign.

Where I am now:

I'm down around $400K lifetime on this account, money I gave Stake fair and square playing over years. Now another $178K is stolen on top of that, and the response from their VIP team is to point me at Section 4.16 of the terms and tell me it's my responsibility.

I believe there have been cases where Stake has worked with users in situations like this. I just can't get my case in front of anyone who can actually make that call. Recovery is a template wall (4.16, update your 2FA, end of conversation). My VIP host hasn't been able to escalate me. I can't reach a senior compliance agent or anyone at a higher VIP level who can look at the evidence and decide on its merits.

If anyone here has pushed past this kind of denial on Stake before, or knows the right contact to actually get a case reviewed properly, please reach out. If you've been drained in a similar way, especially to the same destination wallet on Ethereum, please reply, I think there's more than one of us.

I have the full evidence (transaction hashes, destination wallets, session logs, email correspondence) and I'll share with anyone investigating or affected.

Thank you.

[AHOYBRAUSE]

One thing I totally don’t understand. So the leaderboard payout hit your account and then was withdrawn by somebody that is not you. Yet you didn’t contact support or took any action?? Sounds a bit weird. Also how all of the would be possible without without 2FA is also hard to comprehend.
Guess stake won’t do anything Barbour it since they always say players have to keep their credentials safe. Hope you can get this solved but it doesn’t look good for sure.

[ene1980]

It is really unfortunate, looks like a malware attack on your device to hijack your session and hence Stake did not get any system triggers to block the withdrawal. Check your system thoroughly for malware and change all your passwords.

If you could post the destination wallet, that will be helpful for everyone to check.

One thing I totally don’t understand. So the leaderboard payout hit your account and then was withdrawn by somebody that is not you. Yet you didn’t contact support or took any action?? Sounds a bit weird. Also how all of the would be possible without without 2FA is also hard to comprehend.

It is possible if his sessions were hijacked using a malware.

[coldcoffeebean]

Fair question, let me explain.

The $2,500: this is a high-balance VIP account, $2,500 doesn't catch the eye in real-time. The withdrawal happened at 00:46 UTC on a Sunday while I was asleep, so when I noticed movement on that figure later it looked like the credit had moved, not been stolen. I only connected it to the main drain afterwards.

The 2FA: the two big Ethereum withdrawals on May 9 happened 24 seconds apart with no fresh 2FA between them. That fits session-token hijacking (post-auth cookie theft via infostealer or AitM), which bypasses 2FA entirely because the attacker is already authenticated from the server's view. No password guess, no code intercept needed.

The transactions on chain:
Ethereum, USDC, 7,028.5239: https://etherscan.io/tx/0x05ea14baae1aab8e90187eb3f8131ec2e651dcc275d22ab22bc6d48458613030
Ethereum, USDT, 178,450.272326: https://etherscan.io/tx/0xa7cb9929660f20ffb2321081760822af5b59d44bac6feede6d89f71bb2399641

Both withdrawn from Stake hot wallet 0x974CaA59e49682CdA0AD2bbe82983419A2ECC400 (the same wallet identified as the victim contract in the September 2023 Stake hack attributed to Lazarus Group).

Destination wallet on Ethereum: 0xe0e841e7E07aa8A6b51CADeC7AFB4F298122C0ec
https://etherscan.io/address/0xe0e841e7E07aa8A6b51CADeC7AFB4F298122C0ec

Destination on Tron (for the $2,500 leg): TCY8KDVWBV2vPTK4t8fqYvyJpRjUyAGoPU

The Ethereum destination is currently active. Peel-chain laundering pattern with repeat drain-to-the-decimal amounts (60,025.150538 USDT sent out twice, 7,028.5239 USDC sent out twice). Receiving inflows from multiple sources, not just my account.

If anyone has been drained into this wallet, has tagging on it, or recognizes the pattern, please reply or DM.
Thanks.

[Shishir99]

If I understand correctly, you were hacked by someone from the outside, not by stake employee. It does not fall under the scam accusation against Stake. Since you said that the account was hacked, I assume your other casino/exchange and social media account credentials are not safe as well. You should change the password and terminate all the active sessions from everywhere. I have been hacked before. The chance of getting your funds back is nearly zero.

Just keep tracking the funds and see if they end up in any centralized exchanges. If you can track that, you might have a small chance to report it and get the funds frozen. But you need to start a legal procedure for that. Good luck.

[coldcoffeebean]

If I understand correctly, you were hacked by someone from the outside, not by stake employee. It does not fall under the scam accusation against Stake. Since you said that the account was hacked, I assume your other casino/exchange and social media account credentials are not safe as well. You should change the password and terminate all the active sessions from everywhere. I have been hacked before. The chance of getting your funds back is nearly zero.

Just keep tracking the funds and see if they end up in any centralized exchanges. If you can track that, you might have a small chance to report it and get the funds frozen. But you need to start a legal procedure for that. Good luck.

Thanks for the input. To clarify, I'm not posting under Scam Accusations, this is in Gambling discussion as a community help request and pattern warning, exactly because it's not a scam-against-Stake situation.

The reason I think it's worth public attention: the destination wallet is receiving inflows from multiple sources in a peel-chain laundering pattern, with drain-to-the-last-decimal repeat amounts characteristic of automated tooling. Combined with the same Stake hot wallet that was the victim contract in the September 2023 Lazarus Group hack, the pattern suggests multiple accounts are being targeted, not just mine.

I'm not assuming Stake employees were involved. The two scenarios I'm working with are: (1) coordinated external campaign hitting multiple Stake VIPs through session-token theft or similar, or (2) a deeper authorization-layer issue similar to what was exploited in 2023.

Either way, the right move for any other affected user is to check whether withdrawals from their account went to 0xe0e841e7E07aa8A6b51CADeC7AFB4F298122C0ec. If yes, we're in the same campaign and there's strength in collective evidence.

Already filed police report and freeze requests with Tether and Circle independently.

[ryzaadit]

If anyone has been drained into this wallet, has tagging on it, or recognizes the pattern, please reply or DM.
Thanks.

For what purpose ?

I think, something like these usually your fund is gone. 100% not gonna to back again to the victim, I agree with @AHOYBRAUSE while on the first case should be a warning shots for you and seems @ene1980 giving a goods post too regarding malware.

Either way, the right move for any other affected user is to check whether withdrawals from their account went to 0xe0e841e7E07aa8A6b51CADeC7AFB4F298122C0ec. If yes, we're in the same campaign and there's strength in collective evidence.

Already filed police report and freeze requests with Tether and Circle independently.

Even is somehow you collect a lots evidence, how long actually the fund is being freeze ? the one who did it is not stupid either. Are gonna to make the fund sitting there with such long time on the currency are can freeze. They usually mixer the fund to currency like XMR in the end.

[coldcoffeebean]

To compare evidence and confirm whether multiple Stake accounts are being drained into the same wallet. If yes, it's a coordinated campaign and the collective on-chain pattern (multiple victims, same destination, repeat drain-to-the-decimal amounts, peel-chain laundering) becomes much harder for Stake to dismiss as isolated user-side compromises.

[ryzaadit]

To compare evidence and confirm whether multiple Stake accounts are being drained into the same wallet. If yes, it's a coordinated campaign and the collective on-chain pattern (multiple victims, same destination, repeat drain-to-the-decimal amounts, peel-chain laundering) becomes much harder for Stake to dismiss as isolated user-side compromises.

Stake.com had an accident of leaking data years ago: https://bitcointalk.org/index.php?topic=5568910.0

Basically, because of these tragedies, "Stake.com" user will always getting a target. The success of the target is always depends on the user, just to make sure double-confirm for everything information you are clicked from every emails or other option are being sent to you.

To avoided getting accesses to your account.

[coldcoffeebean]

To compare evidence and confirm whether multiple Stake accounts are being drained into the same wallet. If yes, it's a coordinated campaign and the collective on-chain pattern (multiple victims, same destination, repeat drain-to-the-decimal amounts, peel-chain laundering) becomes much harder for Stake to dismiss as isolated user-side compromises.

Stake.com had an accident of leaking data years ago: https://bitcointalk.org/index.php?topic=5568910.0

Basically, because of these tragedies, "Stake.com" user will always getting a target. The success of the target is always depends on the user, just to make sure double-confirm for everything information you are clicked from every emails or other option are being sent to you.

To avoided getting accesses to your account.

Thanks for the pointer. You're right, the Mixpanel breach in November 2025 exposed Stake users' email addresses, dates of birth, and phone numbers, and Stake itself warned users about impersonation and phishing risks at the time. The attack on my account in May 2026 fits the typical 5-to-6 month attack development window after a data leak like that. So the "your credentials, your fault" defense Stake is using doesn't sit well with the fact that their own vendor leaked the data needed to target users. I'll be incorporating this into the next round of filings. Appreciate the heads-up.

[ryzaadit]

Thanks for the pointer. You're right, the Mixpanel breach in November 2025 exposed Stake users' email addresses, dates of birth, and phone numbers, and Stake itself warned users about impersonation and phishing risks at the time. The attack on my account in May 2026 fits the typical 5-to-6 month attack development window after a data leak like that. So the "your credentials, your fault" defense Stake is using doesn't sit well with the fact that their own vendor leaked the data needed to target users. I'll be incorporating this into the next round of filings. Appreciate the heads-up.

Sure no worry.

I think somehow you also needed some fully-scanned of your device too. If you have 2FA on, but they can bypas it somehow your device could be got some malware and you don't realized it. Just to make sure, you also don't get any these kind of tragedy especially on your wallet as well.

Carefull.

[rohang]

Every single withdraw and tip on stake requires a new 2fa code so not sure what you mean by session token hijacking. It should simply not be possible,

High high chances your email or 2fa device is compromised. If people could withdraw without 2fa then stake would be in deep deep shit

[coldcoffeebean]

Every single withdraw and tip on stake requires a new 2fa code so not sure what you mean by session token hijacking. It should simply not be possible,

High high chances your email or 2fa device is compromised. If people could withdraw without 2fa then stake would be in deep deep shit

Stake doesn't re-prompt 2FA on every withdrawal. The two Ethereum withdrawals in my case happened 24 seconds apart. Nobody types and validates two independent TOTP codes in 24 seconds. Either there's a session-window where 2FA is cached after first use (standard across most platforms), or the second withdrawal didn't trigger a fresh prompt at all. Both are platform-side behaviors, not user-side.

Also: 2FA bypass via session-token theft (AitM kits like Evilginx, Modlishka) is the dominant attack vector against MFA in 2025-2026. The attacker doesn't bypass 2FA, they ride the session that 2FA already authenticated. From the server's view it looks like a legitimate user.
And Stake's vendor Mixpanel leaked usernames, emails, DOBs and phone numbers of Stake users in November 2025.

Five months later, accounts get drained via sophisticated targeted attacks. That's exactly the data inventory needed to run AitM or social-engineer 2FA recovery.
The questions I've asked Stake to answer (was 2FA re-prompted between withdrawal 1 and 2, which factor was presented for each) would settle this. They've refused. That refusal is informative.

[Shishir99]

Thanks for the input. To clarify, I'm not posting under Scam Accusations, this is in Gambling discussion as a community help request and pattern warning, exactly because it's not a scam-against-Stake situation.

Thanks for confirming your intention and point of view.
As I can see, this thread is still in the Scam accusation board, which is used to create scam accusation against the scammers. It could be against the casino, exchange or something else. If you want to move this thread to Gambling discussion board, scroll down to bottom and check button Move thread on bottom left side. Move this thread to Gambling discussion, which will be more appropriate in my opinion.

As for your other comments, thank you for detailed information. I hope you will be able to do something even though getting the funds back won't easy and the chance is very very slim.

[FinneysTrueVision]

This is the attacker’s transaction history. They received gas funding from FixedFloat and then they swapped the stolen funds through FixedFloat.



Based on timing analysis, I believe these funds were swapped for SOL.
You can see that address FmXKx9rGUzzq394WfLKxvHgY9yN6KL5wFbn8iYzQCA7m received 5 incoming transfers from FixedFloat that closely match the amounts sent from the attacker wallet.



Afterwards, the SOL was sent to a new address where they were then mixed through the Privacy Cash protocol in smaller batches.