Cyber Incident Victim: BitKeep

On December 26, 2022, between 3:00 and 4:00 AM GMT+8, BitKeep experienced a large-scale malicious fund attack impacting thousands of users. The incident stemmed from compromised APK versions of the BitKeep wallet application, specifically version 7.2.9 distributed under five package identifiers: com.bitkeep.w4, com.bitkeep.wallet5, io.bitkeep.wallet, com.bitkeep.app, and com.bitkeep.w5. These unofficial installers contained code implanted by attackers, enabling unauthorized fund transfers when users interacted with the hijacked software. Initial investigations revealed that victims who downloaded or updated to these tampered APK versions had their cryptocurrency assets stolen across four blockchain networks: BNB Chain, Ethereum, TRON, and Polygon. BitKeep traced approximately $8 million in stolen funds, with the attack involving over 200 addresses across three chains before consolidation into two primary destination addresses.

The attackers systematically routed stolen assets through multiple addresses on BNB Chain, Ethereum, and Polygon, ultimately funneling all funds to the Ethereum address 0x9f12243d60c301d4e01a3d24bb620e8ffb40f855, which received 1,233.26706814 ETH. All Polygon-chain assets were first transferred to this Ethereum address before further movement. The hackers converted stolen tokens into approximately 8,989,011 USDT. BitKeep’s technical team collaborated with third-party entities to trace transactions and freeze portions of the stolen funds, though specific recovery amounts were not disclosed. The company publicly identified the hacker’s Ethereum and Polygon destination addresses while deferring TRON address disclosure pending further investigation. BitKeep committed to continuous monitoring of the stolen funds’ movement and pledged ongoing transparency through community updates regarding forensic progress and countermeasures. The incident resulted in direct financial losses for affected users and exposed vulnerabilities in BitKeep’s APK distribution channel.