A mass cryptocurrency heist plan has been identified following different users reporting unauthorized access to their wallet balances on February 14, 2025. Security firms SlowMist and OKX have released a joint report showing that they have found that a rogue app called BOM was responsible for the attacks. The study established that BOM was intended to deceive users into providing access to their photo library and local storage. Upon the provision of permissions, the application secretly scanned for screenshots or photos with wallet mnemonic phrases or private keys. The latter were posted to the servers of the attackers. As per MistTrack, the malware has impacted no less than 13,000 users, with total stolen funds amounting to over $1.82 million. The attackers transferred funds on different blockchains such as Ethereum, BSC, Polygon, Arbitrum, and Base in an attempt to hide their actions. Malware analysis shows data gathering scheme Analysis by the OKX Web3 security team showed that the app was built with the UniApp cross-platform framework. This was an architecture designed for extracting sensitive data. BOM asks permission to access the device photo gallery and local files upon installation. The app misleadingly states that permissions are required for the app to work normally. Decompilation of the app revealed its main purpose centered on retrieving and uploading user information. When users visited the contract page on the app, they activated functions that scanned and gathered media files from the storage of the device. These were packaged and uploaded to a distant remote server managed by the attackers. The code in the application had functions such as “androidDoingUp” and “uploadBinFa,” whose sole purpose was to download images and videos from the device and upload them to the attackers. The reporting URL employed a domain that was obtained from the app’s local cache; hence, it was not easy for the users to trace the destination of their data. The scam app also had an anomalous signature subject with random letters (“adminwkhvjv”) instead of the meaningful letters normally used in authentic apps. This aspect also established the app as fraudulent. On-chain fund analysis traces stolen asset flows Blockchain analysis of the theft shows fund flows on several networks. The main theft address initiated its initial transaction on February 12, 2025, with the receipt of 0.001 BNB from the address. On the BSC chain, the attackers made around $37,000 worth of profits, largely in USDC, USDT, and WBTC. The hackers frequently used PancakeSwap to exchange different tokens into BNB. As of now, this address has 611 BNB and around $120,000 worth of tokens, such as USDT, DOGE, and FIL. The Ethereum network experienced the most theft, losing around $280,000. The majority of these funds resulted from cross-chain ETH transfers from other networks. The attackers deposited 100 ETH into a backup address, to which 160 ETH was transferred from another connected address. Overall, 260 ETH are held at this address with no additional movement. On Polygon, attackers reaped around $65,000 worth of tokens, including WBTC, SAND, and STG. The majority of these funds were exchanged on OKX-DEX for almost 67,000 POL. Further theft was observed on Arbitrum ($37,000) and Base ($12,000), with the majority of tokens being exchanged for ETH and bridged onto the Ethereum network.