Cointelegraph
SUI$1.81 1.17%HYPE$24.42 0.76%BNB$913.19 1.28%LINK$13.22 0.31%SOL$136.60 0.04%XLM$0.2278 0.20%ADA$0.3907 0.18%DOGE$0.14 0.11%XMR$495.02 8.08%XRP$2.09 0.38%BTC$90,680 0.05%BCH$654.31 2.35%ETH$3,106 0.31%TRX$0.299 0.38%
Tom Blackstone
Written by Tom Blackstone,Former Staff Writer
Felix Ng
Reviewed by Felix Ng,Staff Editor

BitKeep exploiter used phishing sites to lure in users: Report

The attacker appears to be attempting to cash out funds using Binance and Changenow.

BitKeep exploiter used phishing sites to lure in users: Report
News

Cointelegraph in your social feed

Follow our Subscribe on

The Bitkeep exploit that occurred on Dec. 26 used phishing sites to fool users into downloading fake wallets, according to a report by blockchain analytics provider OKLink.

The report stated that the attacker set up several fake Bitkeep websites which contained an APK file that looked like version 7.2.9 of the Bitkeep wallet. When users “updated” their wallets by downloading the malicious file, their private keys or seed words were stolen and sent to the attacker.

The report did not say how the malicious file stole the users’ keys in an unencrypted form. However, it may have simply asked the users to re-enter their seed words as part of the “update,” which the software could have logged and sent to the attacker.

Once the attacker had users’ private keys, they unstaked all assets and drained them into five wallets under the attacker’s control. From there, they tried to cash out some of the funds using centralized exchanges: 2 Ether (ETH) and 100 USD Coin (USDC) were sent to Binance, and 21 ETH were sent to Changenow.

The attack happened across five different networks: BNB Chain, Tron, Ethereum and Polygon, and BNB Chain bridges Biswap, Nomiswap and Apeswap were used to bridge some of the tokens to Ethereum. According to OKLink, a total of over $9.92 million worth of crypto was taken in the attack, although other sources have said that it is only $8 million.

Related: Defrost v1 hacker reportedly returns funds as ‘exit scam’ allegations surface

It is not yet clear how the attacker convinced users to visit the fake websites. The official website for BitKeep provided a link that sent users to the official Google Play Store page for the app, but it does not carry an APK file of the app at all.

The BitKeep attack was first reported by Peck Shield at 7:30 am UTC. At the time, it was blamed on an “APK version hack.” This new report from OKLink suggests that the hacked APK came from malicious sites and that the developer’s official website has not been breached.

Cointelegraph is committed to independent, transparent journalism. This news article is produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently. Read our Editorial Policy https://cointelegraph.com/editorial-policy