Blockchain security experts uncovered a malicious mobile app that stole sensitive wallet data from users’ devices, leading to the theft of over $1.8 million in cryptocurrency.
A fake app called BOM stole over $1.82 million in crypto by secretly accessing users’ private keys and mnemonic phrases, according to blockchain security firms SlowMist and OKX Web3 Security. In a Feb. 27 research report, SlowMist reported that the first unauthorized transactions with the app were noticed on Feb. 14.
On-chain analysis showed identified main leaks, which led to further revealing that BOM was in fact a scam app luring victims into giving file access. Once granted, the app scanned device storage, took wallet data, and sent it to a remote server.
The app asked for unnecessary permissions, like access to photos and media, what security experts called a “highly suspicious” behavior.
“On iOS, the app first requests permissions, deceiving users with a message claiming the access is necessary for normal operation. This behavior is highly suspicious — as a blockchain-related application, it has no legitimate reason to require access to the photo gallery.”
SlowMist
SlowMist tracked stolen funds across multiple blockchains, estimating that the main hacker address (0x49aDd3E…) stole assets from at least 13,000 victims and transferred the funds through BNB Chain, Ethereum, Polygon, Arbitrum, and Coinbase’s Base.
The stolen crypto included Tether (USDT), Ethereum (ETH), Wrapped Bitcoin (WBTC), and Dogecoin (DOGE).
While it’s unclear who is behind the scheme, SlowMist analysts pointed out that the app’s backend services were offline during analysis, suggesting the attackers are already trying to cover their tracks. Some funds were swapped on decentralized exchange platforms such as PancakeSwap and OKX-DEX.
