BitKeep, a decentralized multi-chain cryptocurrency wallet, confirmed a cyber attack on Wednesday that allowed threat actors to distribute fraudulent versions of its Android app to steal users’ digital currencies.
“With maliciously implanted code, the altered APK led to the disclosure of users’ private keys and allowed the hacker to transfer funds,” BitKeep CEO Kevin Como said, referring to the incident as a “massive hacking incident.”
According to PeckShield, a blockchain security company, and OKLink, a multi-chain blockchain explorer, approximately $9.9 million of assets have been stolen.
BitKeep added in a series of tweets that the stolen funds were on BNB Chain, Ethereum, TRON, and Polygon. More than 200 addresses on the other three chains were utilized in the theft, and all funds were transferred to two primary addresses.
On December 26, 2022, the threat actor was said to have exploited and hijacked version 7.2.9 of the Android app package (.APK) file hosted on its website to distribute the trojanized variant.
The digital intrusion does not affect BitKeep applications downloaded from Google Play, the Apple App Store, or the Google Chrome Web Store.
Five distinct versions of the Android application with the following package names have been identified, indicating that the apps may have been distributed via phishing websites. The valid package name is ‘com.bitkeep.wallet’
The Singapore-based company, which was founded in 2018, stated that it has traced the wallet address used in the theft and has frozen some of the stolen digital assets.
Users who have downloaded the APK file for version 7.2.9 are advised to install the most recent version (7.3.0), which was released today, and transfer their funds to a newly generated wallet address.
Not for the first time, BitKeep has been compromised. On October 18, 2022, the company disclosed another security incident involving its BitKeep Swap service that resulted in approximately $1 million in losses.