The attacker seems to be trying to use Binance and Change now to withdraw money.
The damages incurred
According to research by blockchain analytics (1) vendor OKLink, the Bitkeep hack that happened on December 26 employed phishing websites to trick users into installing false wallets. According to the study, the attacker created several fictitious Bitkeep websites that each hosted an APK file that seemed to be Bitkeep wallet version 7.2.9. Users' private keys or seed words were taken when they "updated" their wallets by downloading the malicious file, and they were delivered to the attacker.
The malicious software grabbed the users' keys in an unencrypted form, although the report did not specify how. It may have just asked the users. as part of the "upgrade," to re-enter their seed words, which the program may have logged and forwarded to the attacker. After obtaining users' private keys, the attacker unstacked all assets and transferred all funds to five wallets under their command. From there, they attempted to withdraw part of the money via centralized exchanges: two Ethereum (ETH) and one hundred dollars (USDC) were sent to Binance, and twenty-one ETH was sent to change now.
Will similar incidents occur?
The attack affected five networks BNB Chain, Tron, Ethereum, Polygon, and BNB Chain bridges. Some coins were connected to Ethereum via the bridges Biswap, Nomiswap, and Apeswap. The hack resulted in the theft of over $13 million cryptocurrency.
It is yet unclear how the assailant persuaded visitors to the phony websites. The official Google Play Store page for BitKeeper has a link that directs people there but does not include an APK file for the program. Peck Shield alerted authorities to the BitKeeper assault around 7:30 AM UTC. It was attributed to an "APK version hack" at the time. According to this latest report from OKLink, the developer's official website was not compromised, and the stolen APK originated from rogue websites.