The attacker appears to be trying to withdraw funds via Binance and Changenow.
According to a report by blockchain analytics provider OKLink, the Bitkeep exploit that occurred on December 26 used phishing sites to trick users into downloading fake wallets.
According to the report, the attacker created several fake Bitkeep websites that contained an APK file that appeared to be version 7.2.9 of the Bitkeep wallet. Users’ private keys or seed words were stolen and sent to the attacker when they “updated” their wallets by downloading the malicious file.
The report did not specify how the malicious file obtained the users’ unencrypted keys. However, as part of the “update,” it could have simply asked users to re-enter their seed words, which the software could have logged and sent to the attacker.
After obtaining the users’ private keys, the attacker unstood all assets and drained them into five wallets under the attacker’s control. They then attempted to cash out some of the funds via centralised exchanges, sending 2 ETH and 100 USDC to Binance and 21 ETH to Changenow.
The attack took place across five networks: BNB Chain, Tron, Ethereum, and Polygon, with BNB Chain bridges Biswap, Nomiswap, and Apeswap used to connect some of the tokens to Ethereum. The attack stole more than $13 million in cryptocurrency.
It is unclear how the attacker persuaded users to visit the bogus websites. The BitKeep official website provided a link that took users to the app’s official Google Play Store page, but it does not contain an APK file.
Peck Shield first reported the BitKeep attack at 7:30 a.m. UTC. It was initially blamed on a “APK version hack.” According to a new report from OKLink, the hacked APK was obtained from malicious websites, and the developer’s official website was not compromised.
