Wednesday, January 04, 2023

Singapore-based crypto firm hit by Boxing Day hack, more than $10 million lost

Affected users were advised to update to version 7.3.0 of the BitKeep app, which was put out on Dec 28. SCREENGRAB: BITKEEP

Aqil Hamzah

SINGAPORE – More than US$8 million (S$10 million) was stolen from a Singapore-based crypto wallet provider last Monday after a hacker manipulated files enabling users to download the wallets on their phones.

Thousands of users reported having their funds stolen from their BitKeep wallets on Boxing Day, although it is not clear how many Singaporean users were affected.

According to blockchain security and data analytics company PeckShield, the cryptocurrencies stolen consisted of Binance’s BNB Coin, stablecoins Tether and Dai, as well as Ether.

The Straits Times has contacted BitKeep for more information but multiple attempts to do so via email and social media have gone unanswered.

Efforts to pinpoint its office in Singapore or unique entity number yielded no results, and the firm did not have a listed phone number here.

In a statement on the Bitkeep website last Wednesday, BitKeep chief executive Kevin Como acknowledged the incident and said the hacker had done so by hijacking and installing code on version 7.2.9 of the APK files available for download on the website.

APK files allow Android users to download apps directly onto their devices without going through the Google Play Store.

“With maliciously implanted code, the altered APK led to the leak of users’ private keys and enabled the hacker to move funds,” Mr Como said, adding that users who downloaded the app from Apple’s App Store, the Google Play Store or Chrome Web Store were unaffected.

On its official Telegram channel, affected users were advised to update to version 7.3.0 of the BitKeep app, which was put out on Dec 28.

They would then need to create a new crypto wallet and transfer all their available assets.

Meanwhile, the firm said it is working to recover the stolen funds, with affected users urged to fill in a Google form detailing the amount they lost.

ST understands that BitKeep did not apply for a licence to provide digital payment token services under the Payment Services Act. This means that its cryptocurrency wallet may not fall under the category of a regulated service in Singapore.

MORE ON THIS TOPIC

‘I thought crypto exchanges were safe’: The lesson in FTX’s collapse

BitKeep is also not a notified entity, which means it has not been granted a temporary exemption from holding a licence by the Monetary Authority of Singapore.

This is not the first time that BitKeep, which claims to have more than 8 million users across 168 countries, has suffered from a hack resulting in stolen funds.

In Oct 2022, more than US$1 million was stolen after hackers exploited a vulnerability that allowed them to perform cryptocurrency token swaps from users’ accounts.

No comments: