Multi-chain crypto wallet BitKeep today reported a hacking incident that resulted in users losing millions in various cryptocurrencies.
The project’s team said the preliminary investigation points to some APK package downloads that were hijacked and installed with malicious code injected by hackers.
APK, which stands for Android Package, is the file format that Android uses to distribute and install apps. Often available outside Google Play, APKs allow users to install apps on their Android phones from third-party sources, which, in turn, may result in higher security risks.
“If your funds are stolen, the application you download or update may be an unknown version (unofficial release version) hijacked,” the BitKeep team wrote in its official Telegram group.
BitKeep also advised those users who downloaded the APK version to transfer their funds to the wallet downloaded from App Store or Google Play. Ideally, users are asked to do this using a newly-created wallet address as the addresses created through the malicious APK may have been leaked to hackers.
Million drained from Bitkeep
Security company PeckShield initially estimated the total amount of stolen funds to be about $8 million in various digital assets.
Though some Twitter users are questioning this version of events, reporting instances of funds stolen from the officially downloaded wallets, the Singapore-based BitKeep has doubled down on its preliminary investigation.
“Today’s theft incident is mainly due to the hijacking of 7.2.9 APK. If users are using the APK version, it is very likely that it is not the official version. So we have already let users transfer the funds to BitKeep Chrome plug-in wallet as soon as possible, or to the app downloaded from the official store, and create a new wallet address,” a Bitkeep spokesperson told Decrypt, adding that “there is no problem” with the app downloaded from the official App Store or Google Play.
In a separate report, security firm Hacken said approximately $6 million worth of crypto assets have been stolen, adding that “the attack is still ongoing and the attacker is directly transferring users assets to multiple addresses.”
1. For now approximately ∼$6M worth of assets have been stolen
But the attack is still ongoing and the attacker is directly transferring users assets to multiple addresses
— Hacken🇺🇦 (@hackenclub) December 26, 2022
According to Hacken, primary addresses with stolen funds have been identified as a Binance Smart Chain wallet and an Ethereum wallet, with the latter seeing two large outgoing transactions worth 709 Ethereum (about $865,000) and 504 Ethereum (about $615,000), respectively.
OKLink, another multi-chain data service, reported a whopping $31 million in various assets stolen across Binance Smart Chain, Ethereum, Tron, and Polygon. With the attack ongoing, these figures likely point to a hacker that’s continuing to profit from users’ errant downloads of the malicious APK.
This is not the first hacking incident targeting BitKeep this year, with the wallet suffering an exploit in October that resulted in the loss of $1 million in Binance Coin (BNB) tokens.
Editor’s note: On December 26, 2022, at 11am EST, this article was updated to reflect that the hack is