Crypto Wallet Bitkeep Points to Malicious APK Packages for $8M Exploit

Multi-chain crypto wallet BitKeep today reported a hacking incident that resulted in users losing roughly $8 million in various cryptocurrencies.

The project’s team said the preliminary investigation points to some APK package downloads that were hijacked and installed with malicious code injected by hackers.

APK, which stands for Android Package, is the file format that Android uses to distribute and install apps. Often available outside Google Play, APKs allow users to install apps on their Android phones from third-party sources, which, in turn, may result in higher security risks.

“If your funds are stolen, the application you download or update may be an unknown version (unofficial release version) hijacked,” the BitKeep team wrote in its official Telegram group.

BitKeep also advised those users who downloaded the APK version to transfer their funds to the wallet downloaded from App Store or Google Play. Ideally, users are asked to do this using a newly-created wallet address as the addresses created through the malicious APK may have been leaked to hackers.

$8 million reportedly drained from Bitkeep

Security company PeckShield has meanwhile estimated the total amount of stolen funds to be about $8 million in various digital assets.

Though some Twitter users are questioning this version of events, reporting instances of funds stolen from the officially downloaded wallets, the Singapore-based BitKeep has doubled down on its preliminary investigation.

“Today’s theft incident is mainly due to the hijacking of 7.2.9 APK. If users are using the APK version, it is very likely that it is not the official version. So we have already let users transfer the funds to BitKeep Chrome plug-in wallet as soon as possible, or to the app downloaded from the official store, and create a new wallet address,” a Bitkeep spokesperson told Decrypt, adding that “there is no problem” with the app downloaded from the official App Store or Google Play.

In a separate report, security firm Hacken said approximately $6 million worth of crypto assets have been stolen, adding that “the attack is still ongoing and the attacker is directly transferring users assets to multiple addresses.”

According to Hacken, primary addresses with stolen funds have been identified as a Binance Smart Chain wallet and an Ethereum wallet, with the latter seeing two large outgoing transactions worth 709 Ethereum (about $865,000) and 504 Ethereum (about $615,000), respectively.

This is not the first hacking incident targeting BitKeep this year, with the wallet suffering an exploit in October that resulted in the loss of $1 million in Binance Coin (BNB) tokens.