Users that downloaded third-party APK of the multi-chain crypto wallet were targeted in an ongoing exploit by hackers who injected malicious code into the apps to drain balances. So far an estimated $8 million worth of BNB, ETH, USDT, TRON, DAI and MATIC were stolen.
This holiday season crypto hackers are hard at work. On December 26, multi-chain crypto wallet BitKeep announced that it was exploited in an attack that drained $8 million worth of cryptocurrencies from customer wallets.
The hack came into view after several users reported that funds were being moved from their wallets without them knowing about it. After conducting an investigation into the matter, the BitKeep team confirmed that users whose accounts were compromised must have downloaded an APK (Android Package) that was hijacked and deployed with malicious code by hackers.
“If your funds are stolen, the application you download or update may be an unknown version (unofficial release version) hijacked,” wrote the BitKeep team in their official Telegram group.
APK, or Android Package, is the file format used to develop and install apps on Android devices. These applications are often available outside Google Play Store from third party sources and can be installed directly on Android phones. However, downloading apps this way poses higher security risks.
The company has urged users who downloaded the hacked version to transfer their funds to the BitKeep official wallet that is available on Google Play Store and Apple App Store. BitKeep asked community members to create new wallet addresses as their previous wallets may have already been compromised by the hacker. The team has also issued a google form for customers affected by the attack to fill out relevant information.
Blockchain security and analytics firm PeckShield conducted an investigation into the attack and estimated that $8 million worth of assets were stolen so far, including 4,373 BNB ($1.06 million), 5.4 million USDT, 196,000 DAI and 1,231.21 ETH ($1.5 million).
In a separate report, security firm Hacken stated that approximately $6 million worth of tokens were stolen in the attack. The company said the attack is still ongoing as the hacker is “directly transferring users’ assets to multiple addresses”. Hacken has identified the primary addresses with stolen funds as a Binance Smart Chain wallet and an Ethereum wallet. The latter saw two significantly large outgoing transactions of 709 ETH (about $865,000) and 504 ETH (worth $615,000), respectively.
According to estimates by OKLink, a whopping $31 million worth of crypto assets across Binance Smart Chain (BNB), Polygon (MATIC), Ethereum (ETH), and Tron (TRON) have been stolen. With the attack ongoing, the smart contract auditor says these figures are linked to the hacker continuing to exploit users that installed the malicious APK.
However, this is not the first time BitKeep has been targeted this year. On October 17, hackers exploited the platform’s token swapping protocol to steal $1 million worth of BNB tokens. At the time, BitKeep suspended the service and promised to reimburse all customers that were affected. Contrary to the Singapore-based company alleging users of downloading malicious versions of the app, some customers are reporting instances of funds being stolen from official wallets. Meanwhile, BitKeep has doubled down on its preliminary investigation.
On Saturday, Defrost Finance, an Avalanche-based decentralised leverage trading platform was drained in a flash loan attack. The culprit exploited a smart contract vulnerability on the protocol to deploy a fake collateral token and manipulated its price to steal over $12 million worth of customer funds from its LSWUSDC liquidity pool.
According to blockchain analytics firm Chainalysis, 2022 has been the most lucrative year for crypto hackers, already surpassing the $7.7 billion total earned by attackers in the whole of last year.