Hackers fished over $8 million in crypto from people using the unofficial version of BitKeep’s mobile app by triggering transactions that didn’t require verification.
The company has been able to race the addresses used in the theft and has frozen some of the stolen funds but did not reveal their amount. Currently, the stolen funds are on the BNB, Ethereum, TRON and Polygon blockchains.
Over 200 addresses were used in the hack, with all funds being transferred to two main addresses. All stolen funds were later swapped for 8,989,011 USDT.
BitKeep CEO Kevin Como’s open letter stated that attackers could exploit and hijack BitKeep’s Android app version 7.2.9 on the company’s website. The hackers added malicious code to the app that leaked users’ private keys and allowed the intruders to move funds.
Official apps from the Google Play Store, Apple App Store and Google Chrome’s App store remain secure and unaffected. That said, users who have downloaded the malicious version from BitKeep’s website are requested to download the app from their respective app stores and generate a new wallet address to secure their funds, as their private keys might’ve been leaked in the attack.
Transaction tracking service PeckShield reports that nearly $8 million worth of crypto assets have been stolen, including 4,373 $BNB, 5.4 million $USDT, 196,000 $DAI, and 1,233.21 $ETH. BitKeep’s official Twitter handle also confirmed this amount.
At the time of writing, the company has already contacted the SlowMist team and other security specialists to track the stolen funds. Additionally, part of the taken tokens has been frozen and locked to prevent further unauthorised transactions.
Como states that compensating victimised users is the top priority right now. Users are being asked to report their losses to develop a redemption list and map the whole incident on a timeline. A new security strategy that’ll restructure and upgrade the company’s technical solutions is also being put in place.