Hackers Mint 179 Billion Crypto Tokens From Playdapp Gaming Platform
Hackers are believed to have used a stolen private key to mint and steal over 1.79 billion PLA tokens, a cryptocurrency used within the PlayDapp ecosystem.
PlayDapp is a blockchain-based platform that uses and trades non-fungible tokens (NFTs) within games, allowing users to buy, sell, and trade digital assets across various games without intermediaries.
On February 9, 2024, an unauthorized wallet minted 200 million PLA tokens, valued at the time at $36.5 million. Blockchain security company PeckShield pointed to the possibility of the attacker using a leaked private key.
PlayDapp immediately informed its community that the PLA token contract had been hacked, warning that they were taking immediate action.
To safeguard PLA assets until the situation was remediated, the platform transferred all (locked and unlocked) PlayDapp-held tokens to a new, secure wallet.
PlayDapp sent on-chain messages to the hacker the following day, offering a $1 million “white hat” reward if they agreed to return the stolen contracts and assets by February 13, 2024.
The company also threatened to notify the FBI and law enforcement authorities and chase the hacker using all available means if they refused to return the assets.
The offer did not convince the hackers, as on February 12, 01:01:47 PM +UTC, they minted a massive 1.59 billion PLA tokens, worth $253.9 million based on the value of the tokens, taking the total tally up to $290.4 million.
However, cryptocurrency experts at Elliptic noted that the amount minted surpasses the total number of PLA tokens in circulation before the breach, so these tokens would have to be sold far below their market value, if they could be sold at all.
Unfortunately, this drop in value will impact legitimate PLA token holders, with the price of PLA already dropping from $0.18 to $0.14 per token.
This massive loss prompted PlayDapp to request the suspension of all PLA trading on decentralized exchanges and the withdrawal of all PLA tokens from liquidity pools.
Today, the platform announced that it is suspending deposits and withdrawals and freezing the hacker’s wallets on major exchanges to try and mitigate the breach.
PLA token holders are requested to refrain from performing transactions until PlayDapp migrates to a safe system using the current snapshot.
Users are also advised to remain vigilant against phishing and scams, which typically accompany major security breach events like this one.
Elliptic says that despite the coordinated action of PlayDapp and major exchanges to hinder the dispersion of stolen PLA tokens, the money is already moving to various accounts and being laundered.
Currently, the attack is not attributed to any known threat actors.
The magnitude of the attack bears the hallmark traits of the North Korean hacking collective known as the “Lazarus Group,” which has been previously responsible for executing massive breaches against crypto-gaming platforms and cashing out record amounts.
Update 2/14/23: Story title and content updated to clarify that the the stolen coins could not be sold for $290+ million.