The Ethereum-based blockchain gaming and digital asset marketplace PlayDapp has been hacked twice in the past five days, resulting in losses of the native PLA tokens amounting to $290 million. The attacks appear to have been perpetrated by the same person and are believed to be the result of a private key leak.
At the end of last week, PlayDapp informed its users of a “critical security incident involving the PLA token contract. ” An unauthorized wallet had hacked the protocol contract and minted 200 million PLA tokens, worth $36.5 million at the time. The blockchain gaming platform promised its users that it would do its “best to minimize the impact on PLA holders.”
PlayDapp has kept its community informed of all steps taken towards solving the issue, including seeking support from law enforcement agencies, working with partner cryptocurrency exchanges to “suspend trading and address the unauthorized tokens,” and safeguarding PLA assets by transferring “ALL PlayDapp-held PLA to a new, secure wallet.”
PlayDapp also contacted the exploiter via an on-chain message asking for the return of all stolen funds by Feb. 13 in exchange for a $1 million “white hat reward.” If this did not happen, the Ethereum platform threatened to “release the same amount as a bounty and work with law enforcement agencies in multiple jurisdictions to conduct a criminal investigation.”
Yet, as the day of reckoning came, the hacker went rogue and struck again—this time by minting 1.59 billion tokens valued at $253.9 million.
After its mitigation strategy failed, the company urged its users to halt all token transactions so that it could take a snapshot of the platform to then define and enact a migration plan. In a communication shared on Binance Square, the digital asset marketplace said it was “in discussions with exchanges for migration solutions (such as an airdrop) to resolve this issue.”
According to crypto security firm Elliptic, the funds have already begun being laundered by being “sent to crypto asset exchanges and other accounts.” However, the person responsible for the attack might have a hard time trying to sell the second batch of newly minted tokens.
Prior to the attack, there were 577 million tokens in circulation, while the exploit created 1.8 billion new PLA tokens - creating an excess supply that will drive the price to the gutter. Since the attack, the price of PLA tokens has already fallen from $0.18 to $0.15, making the exploiter's chances for profit even slimmer.