Cyber Incident Victim: DEOSGames
Date:
Sep 2018
Location:
United States of America
Summary
A hacker exploited a smart contract vulnerability in an EOS-based decentralized betting platform, DEOSGames, to fraudulently trigger the jackpot 24 consecutive times within an hour. Using a newly created account, the attacker deposited 339 EOS ($1,695) and withdrew 4,728 EOS ($23,640), draining significant operating funds. The platform acknowledged the malicious contract exploit, characterizing it as a beneficial stress test that prompted contract-level improvements. While most stolen funds remained with the attacker, who subsequently engaged with other EOS betting dApps, the incident highlighted recurring security flaws in EOS gambling applications, following a similar exploit against another platform weeks prior. The breach underscored broader concerns about vulnerabilities within EOS smart contracts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 9, 2018, the EOS blockchain-based decentralized betting application DEOSGames suffered a financial exploit involving repeated unauthorized jackpot withdrawals. An EOS account identified as "runningsnail," created less than 24 hours prior, executed a series of transactions over approximately one hour that resulted in 24 consecutive jackpot wins from DEOSGames' dice betting game. The attacker initially deposited 339 EOS (approximately $1,695 at the time) but withdrew 4,728 EOS ($23,640) through these transactions, netting nearly $24,000. Blockchain records confirmed each jackpot payout amounted to 197 EOS (around $985), transferred repeatedly to the same account. Following the exploit, the attacker retained most of the funds and began interacting with other EOS betting dApps, suggesting reconnaissance for additional targets. The incident drained a significant portion of DEOSGames' operational liquidity, though the exact percentage of total funds lost was not disclosed.
DEOSGames publicly acknowledged the attack on September 10 via social media, attributing it to a "malicious contract" exploiting vulnerabilities in their smart contract code. The platform framed the incident as a stress test that prompted immediate technical improvements at the contract level, though no specific remediation details were provided. The company did not clarify whether the vulnerability was unique to their implementation or endemic to EOS-based betting dApps broadly. This exploit occurred amid a pattern of similar EOS dApp compromises, including a nearly identical attack on EOSBet.io weeks earlier that forced its temporary shutdown and exposed additional critical flaws in the EOS protocol. Security researchers had by that year collected over $417,000 in EOS-related bug bounties, underscoring systemic vulnerabilities. The DEOSGames incident exemplified the growing prevalence of financially motivated attacks targeting smaller-scale dApps, contrasting with high-profile cryptocurrency heists but reflecting operational risks in rapidly deployed blockchain gambling platforms.