A large number of cryptocurrency robbery plans have been identified following a variety of users reporting unauthorized access to wallet balances on February 14, 2025.
Security companies SlowMist and OKX have released a joint report showing that they have discovered that a malicious app called BOM is the cause of the attack.
This study confirmed that BOM intended to deceive users and to provide access to photo libraries and local storage. Once granted permission, the application secretly scanned a screenshot or photo using mnemonic phrases or private keys on the wallet. The latter was posted to the attacker’s server.
According to MistTrack, the malware has affected more than 13,000 users, with the total stolen funds exceeding $1.82 billion. In an attempt to hide their actions, the attackers transferred funds to various blockchains, including Ethereum, BSC, Polygon, Arbitrum, and Base.
Malware analysis shows the data collection scheme
Analysis by the OKX Web3 Security Team showed that the app was built with the UNIAPP cross-platform framework. This was an architecture designed to extract sensitive data. Bom asks for permission to access the device photo gallery and local files during installation. The app misleadingly states that permission is required for the app to function properly.
Decompiling the app reveals its main purpose, focusing on obtaining and uploading user information. When a user accessed the app’s contract page, the feature was activated that scanned and collected media files from device storage. They were packaged and uploaded to a remote remote server managed by an attacker.
The code in the application has features like “Androiddoingup” and “uploadbinfa”, and its sole purpose was to download images and videos from the device and upload them to the attacker. The report URL adopted a domain obtained from the app’s local cache. Therefore, it was not easy for users to track the destination of their data.
Also, scam apps had unusual signing targets with random characters (“adminwkhvjv”) instead of the meaningful characters that are normally used in real apps. This aspect established the app as fraudulent.
On-Chain Fund Analysis tracks stolen assets flows
Theft blockchain analysis shows the flow of funds across several networks. The main theft address began its first transaction on February 12, 2025 and received a receipt of 0.001 bnb from the address.
In the BSC chain, the attackers made profits worth around $37,000, mainly in USDC, USDT and WBTC. Hackers frequently used Pancakeswap to exchange various tokens for BNB. Currently, this address has 611 bnb and tokens worth around $120,000, including USDT, Doge and Fil.
The Ethereum Network has experienced the most theft, losing around $280,000. The majority of these funds were attributed to cross-chain ETH transfers from other networks. The attacker deposited 100 ETH at the backup address, and 160 ETH was forwarded from another connected address. Overall, 260 ETH is kept at this address with no additional movement.
In polygons, the attacker won about $65,000 worth of tokens, including WBTC, sand and STG. The majority of these funds were exchanged for almost 67,000 POLs on OKX-DEX. Further theft was observed on Arbitrum ($37,000) and base ($12,000), with the majority of the tokens being exchanged for ETH and bridging into the Ethereum network.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
