KeyTakeaways:
- BOM malware stole over $1.82 million from 13,000+ cryptocurrency users.
- Attackers used cross-chain transfers to launder stolen funds across multiple blockchains.
- Malware exploited device permissions to steal wallet information and send it to remote servers.
A new malware campaign has resulted in a massive cryptocurrency theft, with attackers stealing more than $1.82 million from over 13,000 victims. According to a joint investigation by security firms SlowMist and OKX, the rogue app, known as BOM, has been identified as the source of the breach. The attack targeted users of crypto wallets, exploiting vulnerabilities to steal sensitive data such as mnemonic phrases and private keys.
The BOM malware was designed to trick users into granting it access to their photo libraries and local storage. Upon installation, the app misleadingly requested these permissions, claiming they were necessary to function correctly. Once granted, BOM secretly scanned the device for images containing sensitive information, such as wallet mnemonic phrases or private keys.
These stolen details were then uploaded to remote servers controlled by the attackers. This process was carried out without the user’s knowledge, making it difficult to trace the malware’s actions. OKX’s Web3 security team analysis revealed that the BOM app was built using the UniApp cross-platform framework, a tool commonly used for extracting sensitive data.
Stolen Funds Traced Across Multiple Blockchains
Blockchain analysis has helped trace the stolen funds across multiple cryptocurrency networks. The main attack address was activated on February 12, 2025, when it received 0.001 BNB. From there, the attackers moved funds across various blockchains, including Ethereum, Binance Smart Chain (BSC), Polygon, Arbitrum, and Base.
The attackers made approximately $37,000 on the BSC network, mostly in USDC, USDT, and WBTC. They used PancakeSwap to exchange these tokens into BNB. The Ethereum network saw the largest losses, totaling around $280,000. These funds were primarily the result of cross-chain ETH transfers. A backup address received 100 ETH and 160 ETH from another address. As of now, this address holds 260 ETH with no further activity.
Smaller Losses Observed on Other Networks
The attackers also managed to steal funds from the Polygon, Arbitrum, and Base networks. Around $65,000 worth of tokens, including WBTC, SAND, and STG, were taken on Polygon. Much of this was exchanged for POL tokens on the OKX-DEX. The Arbitrum and Base networks were also targeted, with losses of $37,000 and $12,000, respectively.
The attackers utilized various techniques to move the stolen funds across multiple networks, including using decentralized exchanges and cross-chain bridges to cover their tracks. However, their activities have been traced, providing valuable insight into the attack’s operation and scale.
Read Also: Mask Network CEO Suji Yan Loses Over $4 Million in Crypto Theft
SlowMist and OKX have released detailed reports on the attack, including the technical aspects of how BOM operates. While the investigation is ongoing, these findings have shed light on cybercriminals’ tactics for exploiting unsuspecting cryptocurrency users.
