Blockchain analytics firm OKLink released a study detailing how phishing sites were utilized in the December 26 BitKeep vulnerability to trick users into downloading fraudulent wallets.
According to the report, the attacker created many bogus BitKeep websites that hosted an APK file masquerading as BitKeep wallet version 7.2.9. Users’ private keys or seed words were taken and transferred to the attacker when they “updated” their wallets by downloading the infected file.
【12-26 #BitKeep Hack Event Summary】
According to OKLink data, the bitkeep theft involved 4 chains BSC, ETH, TRX, Polygon, OKLink included 50 hacker addresses and total Txns volume reached $31M.
— OKLink (@OKLink) December 26, 2022
The report did not explain how the malicious file gained access to users’ unencrypted form. Yet the “upgrade” may have merely required users to re-enter their seed words, which the program would then record and send to the attacker.
When the attacker gained access to users’ private keys, they unstaked all assets and transferred them to five wallets under their control. Some of the funds was then sent to centralized exchanges in an attempt to be cashed out: 2 ether and 100 USDC were sent to Binance, while 21 ether was sent to Changenow.
A total of five networks were compromised during the attack: BNB Chain, Tron, Ethereum, Polygon, and BNB Chain bridges. Some tokens were bridged to Ethereum using Biswap, Nomiswap, and Apeswap. Over $13 million in cryptocurrency was stolen in all.
How the attacker got people to visit the bogus websites is yet unknown. Although an APK file of BitKeep is available on the official BitKeep website, users are instead directed to the app’s official Google Play Store page. Peck Shield was the first to report the attack on BitKeep, which occurred around 7:30 a.m. UTC.
It was initially thought that a “hack in the APK version” was to blame. OKLink has released an update to its report that indicates the compromised APK was not obtained from the developer’s official website.