BitKeep exploiter used phishing sites to lure in users: Report

The Bitkeep exploit that occurred connected Dec. 26 utilized phishing sites to fool users into downloading fake wallets, according to a study by blockchain analytics supplier OKLink.

The study stated that the attacker acceptable up respective fake Bitkeep websites which contained an APK record that looked similar mentation 7.2.9 of the Bitkeep wallet. When users “updated” their wallets by downloading the malicious file, their backstage keys oregon effect words were stolen and sent to the attacker.

— OKLink (@OKLink) December 26, 2022

The study did not accidental however the malicious record stole the users’ keys successful an unencrypted form. However, it whitethorn person simply asked the users to re-enter their effect words arsenic portion of the “update,” which the bundle could person logged and sent to the attacker.

Once the attacker had users’ backstage keys, they unstaked each assets and drained them into 5 wallets nether the attacker’s control. From there, they tried to currency retired immoderate of the funds utilizing centralised exchanges: 2 ETH and 100 USDC were sent to Binance, and 21 ETH were sent to Changenow.

The onslaught happened crossed 5 antithetic networks: BNB Chain, Tron, Ethereum, and Polygon, and BNB Chain bridges Biswap, Nomiswap, and Apeswap were utilized to span immoderate of the tokens to Ethereum. In total, implicit $13 cardinal worthy of crypto was taken successful the attack.

Related: Defrost v1 hacker reportedly returns funds arsenic ‘exit scam’ allegations surface

It is not yet wide however the attacker convinced users to sojourn the fake websites. The authoritative website for BitKeep provided a nexus that sent users to the authoritative Google Play Store leafage for the app, but it does not transportation an APK record of the app astatine all.

The BitKeep onslaught was first reported by Peck Shield astatine 7:30 a.m. UTC. At the time, it was blamed connected an “APK mentation hack.” This caller study from OKLink suggests that the hacked APK came from malicious sites, and that the developer’s authoritative website has not been breached.