A Mass Cryptocurrency Heist Identified

A mass cryptocurrency heist plan has been identified following multiple user reports of unauthorized access to wallet balances on February 14, 2025.

Security firms SlowMist and OKX released a joint report revealing that a rogue app called BOM was responsible for the attacks.

The study established that BOM was designed to deceive users into granting access to their photo library and local storage. Once permissions were given, the app secretly scanned for screenshots or photos containing wallet mnemonic phrases or private keys, which were then sent to the attackers’ servers.

According to MistTrack, the malware has affected at least 13,000 users, with total stolen funds exceeding $1.82 million. The attackers transferred funds across various blockchains, including Ethereum, BSC, Polygon, Arbitrum, and Base, to obscure their actions.

Malware Analysis Shows Data Gathering Scheme

Analysis by the OKX Web3 security team showed that the app was built with the UniApp cross-platform framework, which was architected for extracting sensitive data. BOM requests permission to access the device’s photo gallery and local files upon installation, misleadingly claiming that these permissions are necessary for the app to function properly.

Decompilation of the app indicated that its primary purpose was to retrieve and upload user information. When users navigated to the contract page within the app, functions were triggered that scanned and collected media files from the device’s storage. These files were then packaged and sent to a remote server controlled by the attackers.

The application code contained functions such as “androidDoingUp” and “uploadBinFa,” purposefully designed to download images and videos from the device and upload them to the attackers. The reporting URL used a domain sourced from the app’s local cache, making it difficult for users to trace their stolen data.

Additionally, the app featured an anomalous signature with random letters (“adminwkhvjv”), unlike the meaningful signatures typically seen in legitimate apps, further highlighting its fraudulent nature.

On-Chain Fund Analysis Traces Stolen Asset Flows

Blockchain analysis reveals fund flows across several networks. The initial theft address conducted its first transaction on February 12, 2025, starting with a receipt of 0.001 BNB.

On the BSC chain, the attackers gained profits of about $37,000, predominantly in USDC, USDT, and WBTC. The hackers frequently employed PancakeSwap to convert various tokens into BNB. Currently, this address holds 611 BNB and roughly $120,000 worth of tokens like USDT, DOGE, and FIL.

The Ethereum network suffered the highest losses, approximately $280,000. Most of these losses resulted from cross-chain ETH transfers from other networks. The attackers deposited 100 ETH into a backup address, to which 160 ETH was transferred from another linked address, totaling 260 ETH stored there without further movement.

On Polygon, the attackers stole about $65,000 in tokens, including WBTC, SAND, and STG, primarily exchanged on OKX-DEX for nearly 67,000 POL. Additional thefts included $37,000 on Arbitrum and $12,000 on Base, with most tokens exchanged for ETH and subsequently bridged to the Ethereum network.