Crypto Casino Metawin Hacked for $4M+ Due to Withdrawal System Exploit

Crypto casino Metawin recently faced a security breach, resulting in a loss of over $4 million, per blockchain investigator ZachXBT. 

According to Metawin CEO Richard “Skel” Skelhorn, the hack targeted the platform’s withdrawal mechanism, which was designed for swift transactions. This “frictionless withdrawal system” allowed the hacker to access and drain funds from hot wallets tied to Ethereum and Solana. 

As Skelhorn confirmed, this exploit led to the immediate suspension of withdrawals to prevent further losses. The platform has since re-enabled withdrawals for about 95% of users after securing its systems.

ZachXBT, known for tracing crypto exploits, collaborated with Metawin to assess the hack. The hacker accessed more than 115 addresses during the attack, showing a high level of technical skill. 

Hot wallets, which are more vulnerable due to their continuous online connection, proved to be an entry point for the hacker’s operation.

Using blockchain forensics, ZachXBT tracked the stolen funds, revealing that they were routed through Kucoin and a nested service on HitBTC. This tactic is commonly employed to obscure the origin of funds, complicating recovery efforts. 

Transferring assets into mixed or nested accounts further distances them from their original source, making it difficult to trace them.

The identity and motivation of the hacker remain unknown. 

Immediate Platform Response and User Impact

In response to the hack, Skelhorn assured users that his team is working tirelessly to fortify platform security. He acknowledged the incident on Metawin's Discord, confirming that authorities have been contacted and that the platform is making "internal adjustments" to prevent similar incidents. 

Skelhorn also revealed that he personally covered part of the financial impact, sharing, “I just emptied my piggy bank… We keep building.” 

Crypto Security Incidents on the Rise

The Metawin hack adds to a growing list of crypto security breaches this year. According to blockchain security firm CertiK, October alone saw $129.6 million in crypto losses from hacks, exit scams, and flash loan attacks. 

Exploits accounted for the greatest share of stolen assets, with $127 million. This figure represents a slight increase from September but a notable decrease from the $324.7 million lost to hacks in May.

Among recent incidents, the Radiant Capital hack stands out as the largest, with the lending protocol losing over $50 million in assets. Other notable attacks include a $36-million phishing incident targeting a high-value investor and a $13-million hack on M2 crypto exchange.