Skip to content
fy_nance
← Newsroom

Operator · 6 min · 2026-06-14

Stake's $41M Lazarus hack and what it means for skin holders

A North Korean state group walked off with about $41M from a gambling site. Here is why custody, not luck, is the real risk for anyone holding skins on someone else's servers.

On or around 4 September 2023, roughly $41 million walked out the door at Stake.com. Not lost at the tables, not clawed back by a regulator, just gone. The FBI later attributed the theft to North Korea's Lazarus Group (the same state-backed crew tracked as APT38), and the mechanism was about as basic as a breach gets: the attackers got hold of a private key for one of Stake's hot wallets and drained it.

I want to walk through what actually happened here, because the headline ("crypto casino hacked") buries the lesson that matters for anyone sitting on a CS2 inventory. The risk that took down Stake is not bad luck. It is custody.

What actually happened

Stake is a Curacao and Cyprus licensed crypto gambling operation, heavily marketed by influencers like Drake and Adin Ross. To run a crypto casino, you hold customer crypto, and to pay out fast you keep a chunk of it in "hot" wallets, meaning wallets connected to the internet with keys available to live systems. That is the trade-off every custodial crypto operator makes: convenience for users on one side, a giant signing key sitting near production on the other.

Lazarus found that key. Once they had it, there was no clever exploit chain to admire and no smart-contract bug to debate. They signed transactions and moved the funds out across Ethereum, BSC, and Polygon. The FBI named the group publicly, which is its own kind of statement: this was not a teenager, it was a nation-state intelligence operation funding itself by robbing a gambling site.

The primary sources are worth reading if you want the receipts. The FBI's own press release names Lazarus and the $41M figure (fbi.gov), and CoinDesk's writeup adds the timeline and on-chain detail (coindesk.com).

The part nobody at the casino says out loud

Here is the structural point. When a site holds your asset, the site's security posture becomes your security posture, whether you consented to it or not.

You did not pick Stake's wallet architecture. You did not review their key management. You did not decide how much sat in a hot wallet versus cold storage. But if you had a balance there, you were exposed to every one of those decisions. The user does not get a vote on the honeypot, and the user eats the breach.

And it is always a honeypot. The moment a single operator pools thousands of users' funds into wallets it controls, it has built the most attractive target in the room. A nation-state does not burn a key-theft operation on one person's holdings. It burns it on the place where everyone's holdings are stacked together. Concentration is the whole appeal. That is true for crypto balances at Stake, and it is exactly as true for skins parked on a gambling or trading site that takes custody of your items.

I have written before about how this pattern keeps repeating across this industry, and Stake is just the cleanest example of the custody failure mode specifically:

If you hold customer money, segregation is sacred. Real custody means bankruptcy-remote, separately accounted, and never sitting one stolen key away from zero.

FTX taught that lesson with commingling. Celsius taught it with a withdrawal freeze. Stake taught it with a hot wallet and a North Korean APT. Different villains, same root cause: the user handed over the asset, and the asset was no longer theirs to protect.

Why this is a skins problem, not just a crypto problem

If you play on CS2 gambling sites, open cases on third-party operators, or use trading platforms that hold your items in their bots while a deal settles, you are in the same boat Stake's users were in. Your skins are not in your Steam account. They are on someone else's servers, controlled by someone else's keys and bot accounts, governed by someone else's security decisions.

We have already seen this exact thing happen in the skins world without any North Korean help required. When Valve banned OPSkins' trading bots in 2018, reporting put it at 2,800-plus bot accounts disabled and over $2 million in skins stranded, items that users thought were "theirs" but were actually sitting in an intermediary's custody when the kill switch flipped (calvinayre.com). The 2024 ban wave did the same to other suppliers, with over $2 million in skins lost (pcgamer.com).

Notice the asymmetry. With OPSkins it was a platform takedown. With Stake it was a foreign intelligence service. From your seat as a holder, those look identical: the asset was in custody, custody got compromised, and you had no way to stop it and no recourse after. The threat model does not matter when the failure mode is the same.

So the real question is never "is this site lucky enough to avoid getting hacked." It is "why does this site have my stuff at all."

How fy_nance is built differently, on purpose

I am the solo founder of fy_nance, and the single most important architectural decision I made was to never touch your skins. Not to custody them carefully. Not at all.

Your skins stay in your Steam account, where they have always been and where Valve, not me, controls them. fy_nance connects to read your inventory and price it. That is the entire interaction: I look, I value, I help you with the tax and portfolio math. I do not hold, I do not move, I do not pool, and I do not run bots that take possession of your items while something settles.

That is not a feature I am bolting on for marketing. It is the design. And the security consequence is the whole point: there is no fy_nance honeypot to drain. A Lazarus-grade attacker who fully compromised my servers tomorrow would find pricing data and read-only inventory snapshots. They would not find a wallet full of your skins, because that wallet does not exist. You cannot steal custody that was never taken.

This is also why I keep pushing the idea that the future of this space belongs to the compliance-category leader, not the highest-RTP casino. The operators that pool your value are the ones drawing state attorneys general, RICO suits, and now nation-state thieves. A tool that prices what you already own, and leaves the owning to you, sidesteps that entire blast radius. The chance element and the cash-out-of-pooled-funds element are what create legal and security exposure. I stay off both, so almost none of this history applies here.

The takeaway

Stake did not get unlucky. It made the same bet every custodial operator makes (we can guard the pile better than anyone can attack it) and Lazarus collected on the other side of it. Forty-one million dollars is the price of being the place where everyone's value sits together.

For your skins, the lesson is simple and I will keep repeating it until it is boring. Every site that holds your items is a target being built around your stuff. Every site that only reads them is not. So before you deposit a knife into someone's bot or balance, ask who controls the keys, and whether you would still own that skin if their servers had a bad Tuesday.

The safest skin is the one still in your own account.

Editorial commentary. Not financial advice. fy_nance is a US Delaware C-corp. We do not custody assets and do not take a position in CS2 skins. Editorial standards.