Singapore-based crypto firm hit by Dec 26 hack, more than $10 million lost

Affected users were advised to update to version 7.3.0 of the BitKeep app, which was put out on Dec 28. SCREENGRAB: BITKEEP

SINGAPORE – More than US$8 million (S$10 million) was stolen from a Singapore-based crypto wallet provider on Dec 26, after a hacker manipulated files enabling users to download the wallets on their phones.

Thousands of users reported having their funds stolen from their BitKeep wallets that day, although it is not clear how many Singaporean users were affected.

According to blockchain security and data analytics company PeckShield, the cryptocurrencies stolen consisted of Binance’s BNB Coin, stablecoins Tether and Dai, and Ether.

In response to queries from The Straits Times, a BitKeep spokesman said it has adopted countermeasures to protect users from further losses, including tracing the addresses used in the hack and freezing some of the stolen funds.

He added that a police report was lodged at the end of December, and that a taskforce has been set up by the police in collaboration with cybersecurity experts.

ST has contacted the police to verify if such a taskforce had been created.

In a statement on the Bitkeep website last Wednesday, BitKeep chief executive Kevin Como acknowledged the incident and said the hacker had done so by hijacking and installing code on version 7.2.9 of the APK files available for download on the website.

APK files allow Android users to download apps directly onto their devices without going through the Google Play Store.

“With maliciously implanted code, the altered APK led to the leak of users’ private keys and enabled the hacker to move funds,” Mr Como said, adding that users who downloaded the app from Apple’s App Store, the Google Play Store or Chrome Web Store were unaffected.

On its official Telegram channel, affected users were advised to update to version 7.3.0 of the BitKeep app, which was put out on Dec 28.

They would then need to create a new crypto wallet and transfer all their available assets.

ST understands that BitKeep did not apply for a licence to provide digital payment token services under the Payment Services Act.

BitKeep is also not a notified entity, which means it has not been granted a temporary exemption from holding a licence by the Monetary Authority of Singapore.

ST understands that as a wallet provider, BitKeep’s services are technological in nature and may not be subject to the Payment Services Act, which provides a framework for the regulation of payment systems and payment service providers in Singapore.

This is not the first time that BitKeep, which claims to have more than 8 million users across 168 countries, has suffered from a hack resulting in stolen funds.

In Oct 2022, more than US$1 million was stolen after hackers exploited a vulnerability that allowed them to perform cryptocurrency token swaps from users’ accounts.

Join ST's Telegram channel and get the latest breaking news delivered to you.