More than $8 million worth of cryptocurrency has been stolen from the wallets of BitKeep users in an apparent cyber attack, the latest exploit to hit a decentralised finance network.
BitKeep users reported through social media that their funds were being transferred without any activity on their end, online industry tracker Cointelegraph reported on Monday.
The amount could be higher as transfers were still being made at the time of the report, and it is also unclear whether the breach was from a single attacker or several.
The number of affected users is yet to be determined. BitKeep, which is based in Singapore, claims to have more than 6.3 million users.
Among the cryptocurrencies stolen are Binance Coin, Ether, Tether and Dai. The wallet of one suspected hacker now contains about $5 million, said BitKeep. A wallet is used by an account holder to securely store cryptocurrency.
BitKeep confirmed the breach in a Telegram post, after a “preliminary investigation”.
“It is suspected that some APK package downloads have been hijacked by hackers and installed with code implanted by hackers,” it said, referring to Android package kit, the file format used on Google's mobile operating system.
“If your funds are stolen, the application you download or update may be an unknown version [unofficial release version] hijacked.”
Decentralised finance, or DeFi, is based on blockchain technology. It is considered to be a safer way to conduct transactions, with the potential to replace middlemen, such as brokers and banks, in the financial system.
However, the growing scale of blockchain, cryptocurrencies and DeFi is attracting criminal activity. Cryptocurrencies tracked by Chainalysis yielded total transactions worth $15.8 trillion in 2021, up almost sevenfold from 2020.
Money laundering, market manipulation and online theft have been identified as the biggest threats globally to decentralised finance on Web3, Chainalysis has said.
Theft rose in parallel as crypto-based crime reached its highest level in 2021, with illicit addresses receiving $14 billion over the course of the year, almost double the $7.8 billion recorded in 2020, the New York-based blockchain platform has reported.
In March, more than $600 million was stolen from Ronin Network, a side chain built for the play-to-earn game Axie Infinity.
Android package kits can be downloaded from the internet and installed on Android devices. As they do not come from the official Google Play Store, they carry serious security risks, such as viruses and malware that can be used to steal sensitive user data.
Monday's report also comes a little over two months after BitKeep suffered a similar breach, in which one hacker stole about $1 million worth of Binance Coin.
Users — particularly those using APK versions of their wallets — have been urged by BitKeep to transfer their funds to its app from Google Play or Apple's App Store, and create new wallet addresses to safeguard their digital assets.
The company has also provided an online form that users can use to report illicit activity, and has said it will “figure out the solution and assist as soon as possible”.
BitKeep is active in 168 countries, with transactions of more than $500 billion, according to its website.