The Bitkeep exploit that occurred on Dec. 26 used phishing sites to fool users into downloading fake wallets, according to a report by blockchain analytics provider OKLink.
The report stated that the attacker set up several fake Bitkeep websites which contained an APK file that looked like version 7.2.9 of the Bitkeep wallet. When users “updated” their wallets by downloading the malicious file, their private keys or seed words were stolen and sent to the attacker.
【12-26 #BitKeep Hack Event Summary】— OKLink (@OKLink) December 26, 2022
According to OKLink data, the bitkeep theft involved 4 chains BSC, ETH, TRX, Polygon, OKLink included 50 hacker addresses and total Txns volume reached $31M.
The report did not say how the malicious file stole the users’ keys in an unencrypted form. However, it may have simply asked the users to re-enter their seed words as part of the “update,” which the software could have logged and sent to the attacker.
Once the attacker had users’ private keys, they unstaked all assets and drained them into five wallets under the attacker’s control. From there, they tried to cash out some of the funds using centralized exchanges: 2 Ether (ETH) and 100 USD Coin (USDC) were sent to Binance, and 21 ETH were sent to Changenow.
The attack happened across five different networks: BNB Chain, Tron, Ethereum and Polygon, and BNB Chain bridges Biswap, Nomiswap and Apeswap were used to bridge some of the tokens to Ethereum. According to OKLink, a total of over $9.92 million worth of crypto was taken in the attack, although other sources have said that it is only $8 million.
It is not yet clear how the attacker convinced users to visit the fake websites. The official website for BitKeep provided a link that sent users to the official Google Play Store page for the app, but it does not carry an APK file of the app at all.
The BitKeep attack was first reported by Peck Shield at 7:30 am UTC. At the time, it was blamed on an “APK version hack.” This new report from OKLink suggests that the hacked APK came from malicious sites and that the developer’s official website has not been breached.