Hackers have allegedly abused a stolen private key to generate and steal approximately $290 million worth of PLA tokens. These tokens are used within the PlayDapp gaming platform’s ecosystem.
PlayDapp operates as a blockchain-based platform that facilitates the use and exchange of non-fungible tokens (NFTs) within games. This enables users to engage in buying, selling, and trading digital assets across multiple games without the involvement of intermediaries.
On February 9, 2024, an unauthorized wallet created 200 million PLA tokens, which had an estimated value of $36.5 million. PeckShield, a blockchain security company, suggested that the attacker may have utilized a leaked private key to carry out the attack.
PlayDapp Gaming Platform Notified Its Community of the Breach
PlayDapp swiftly notified its community about the security breach, acknowledging that the PLA token contract had been compromised. They reassured their users that immediate action was being taken to address the situation.
As a precautionary measure, PlayDapp transferred all of their held PLA tokens, both locked and unlocked, to a new and secure wallet. This step was taken to safeguard the PLA assets until the security issue was resolved.
In an attempt to recover the stolen contracts and assets, PlayDapp reached out to the hacker via on-chain messages the day after the incident. They offered a “white hat” reward of $1 million if the hacker agreed to return the stolen items by February 13, 2024.
To further pressure the hacker, PlayDapp warned that they would involve the FBI and other law enforcement agencies and pursue all available means to track down the perpetrator if they refused to comply and return the assets.
Hackers Minted Even More PlayDapp Gaming Platform Tokens After White Hat Offer
Unfortunately, the offer did not persuade the hackers. On February 12, at 01:01:47 PM +UTC, they proceeded to mint an additional 1.59 billion PLA tokens of PlayDapp gaming platform. This massive quantity of tokens was valued at $253.9 million at the time, bringing the total value of stolen assets to $290.4 million.
In response to the significant loss, PlayDapp has taken several measures to address the situation. Firstly, they have requested the suspension of all PLA trading on decentralized exchanges. Additionally, they have urged users to withdraw all PLA tokens from liquidity pools.
Furthermore, PlayDapp has announced the suspension of deposits and withdrawals and has taken steps to freeze the hacker’s wallets on major exchanges. These actions aim to mitigate the impact of the breach.
To ensure the safety of PLA token holders, PlayDapp has advised refraining from conducting any transactions until they complete the migration to a secure system using the current snapshot. This precautionary measure is implemented to maintain the integrity and security of the platform.
In light of this security breach, users are strongly advised to remain cautious and vigilant against phishing attempts and scams. Such incidents often attract fraudulent activities, and it is important to stay alert to protect oneself from potential risks.
Cryptocurrency experts at Elliptic have observed that despite the coordinated efforts of PlayDapp and major exchanges to impede the dispersion of the stolen PLA tokens, the funds have already started moving to different accounts and undergoing money laundering processes.
Furthermore, Elliptic has noted that the amount of tokens minted by the hackers exceeds the total number of PLA tokens in circulation prior to the breach. As a result, these tokens cannot be sold at their normal market value, which poses additional challenges for handling the situation effectively.
Regrettably, legitimate PLA token holders will bear the consequences of this incident, as the value of PLA has already experienced a decline from $0.18 to $0.14 per token.
At present, the attack has not been attributed to any specific threat actors.
However, the scale and characteristics of the attack bear similarities to the modus operandi of the Lazarus Group, a North Korean hacking collective. The Lazarus Group has previously conducted large-scale breaches against crypto-gaming platforms and has successfully cashed out substantial amounts from their illicit activities.
