Key Points
Blockchain security professionals have exposed a harmful mobile application that illicitly acquired sensitive wallet information from users’ gadgets, resulting in the theft of more than $1.8 million in cryptocurrency.
The deceptive application, named BOM, stole over $1.82 million in digital currency by secretly accessing users’ private keys and mnemonic phrases.
This was confirmed by blockchain security companies SlowMist and OKX Web3 Security.
In a research report published on February 27, SlowMist revealed that the first unauthorized transactions involving the app were detected on February 14.
On-chain analysis identified significant leaks, leading to the discovery that BOM was a fraudulent app tricking victims into granting file access.
Once permission was given, the app scanned device storage, obtained wallet data, and transmitted it to an external server.
Unnecessary Permissions and Suspicious Behavior
The app requested undue permissions, such as access to photos and media, which security experts labeled as “highly suspicious” conduct.
SlowMist pointed out, “On iOS, the app first requests permissions, deceiving users with a message claiming the access is necessary for normal operation.
This behavior is highly suspicious — as a blockchain-related application, it has no legitimate reason to require access to the photo gallery.”
SlowMist tracked the stolen funds across several blockchains.
They estimated that the main hacker address stole assets from at least 13,000 victims and moved the funds through BNB Chain, Ethereum, Polygon, Arbitrum, and Coinbase’s Base.
The stolen digital currency included Tether (USDT), Ethereum (ETH), Wrapped Bitcoin (WBTC), and Dogecoin (DOGE).
The identity of the individuals behind the scheme remains unknown.
However, SlowMist analysts noted that the app’s backend services were offline during the analysis, suggesting the attackers are attempting to hide their activities.
Some of the stolen funds were exchanged on decentralized platforms such as PancakeSwap and OKX-DEX.