Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
Solana 
USDC 
Lido Staked Ether 
TRON 
Dogecoin 
Cardano 
Wrapped Bitcoin 
Wrapped stETH 
Hyperliquid 
Sui 
Stellar 
Wrapped Beacon ETH 
Chainlink 
Bitcoin Cash 
Hedera 
Wrapped eETH 
Avalanche 
Ethena USDe 
Toncoin 
LEO Token 
Litecoin 
WETH 
USDS 
Shiba Inu 
Binance Bridged USDT (BNB Smart Chain) 
Coinbase Wrapped BTC 
WhiteBIT Coin 
Monero 
Uniswap 
Polkadot 
Ethena Staked USDe 
Bitget Token 
Pepe 
Cronos 
Aave 
Dai 
Ethena 
Bittensor 
Ethereum Classic 
NEAR Protocol 
OKB 
Aptos 
Pi Network 
Ondo 
Internet Computer 
Jito Staked SOL 
BlackRock USD Institutional Digital Liquidity Fund 
Mantle 
USD1 
Kaspa 
Binance-Peg WETH 
Pudgy Penguins 
Gate 
Fasttoken 
Algorand 
Bonk 
VeChain 
Arbitrum 
Cosmos Hub 
sUSDS 
Render 
POL (ex-MATIC) 
Story 
Official Trump 
Worldcoin 
Binance Staked SOL 
Sky 
Jupiter Perpetuals Liquidity Provider Token 
Rocket Pool ETH 
Artificial Superintelligence Alliance 
Lombard Staked BTC 
Quant 
Sei 
Filecoin 
Flare 
Kelp DAO Restaked ETH 
XDC Network 
USDtb 
USDT0 
SPX6900 
KuCoin 
Provenance Blockchain 
Jupiter 
First Digital USD 
StakeWise Staked ETH 
NEXO 
Liquid Staked ETH 
Mantle Staked Ether 
Polygon Bridged USDT (Polygon) 
Falcon USD 
Curve DAO 
Stacks 
Injective 
Celestia 
Solv Protocol BTC 
Renzo Restaked ETH 
Optimism 
PayPal USD 
Binance Bridged USDC (BNB Smart Chain) 
Wrapped BNB 
FLOKI 
PAX Gold 
Conflux 
Jupiter Staked SOL 
Saros 
Sonic 
The Graph 
Immutable 
Arbitrum Bridged WBTC (Arbitrum One) 
Pump.fun 
Fartcoin 
PancakeSwap 
clBTC 
SyrupUSDC 
Tether Gold 
dogwifhat 
Marinade Staked SOL 
Ethereum Name Service 
Kaia 
Lido DAO 
Tezos 
Vaulta 
Virtuals Protocol 
Super OETH 
cgETH Hashkey Cloud 
Theta Network 
Mantle Restaked ETH 
OUSG 
ether.fi Staked ETH 
MemeCore 
Ondo US Dollar Yield 
JasmyCoin 
IOTA 
Stables Labs USDX 
Raydium 
GALA 
tBTC 
Aerodrome Finance 
BitTorrent 
The Sandbox 
L2 Standard Bridged WETH (Base) 
Pendle 
Pyth Network 
Ripple USD 
AB 
Usual USD 
Jito 
USDD 
Zcash 
Flow 
Avalanche Bridged BTC (Avalanche) 
Solv Protocol Staked BTC 
Beldex 
Stader ETHx 
Arbitrum Bridged WETH (Arbitrum One) 
Walrus 
Helium 
Morpho 
Decentraland 
Bitcoin SV 
TrueUSD 
Binance-Peg Dogecoin 
Coinbase Wrapped Staked ETH 
BUILDon 
Onyxcoin 
APENFT 
Maple Finance 
Core 
Brett 
Swell Ethereum 
Savings Dai 
Superstate Short Duration U.S. Government Securities Fund (USTB) 
Mog Coin 
Telcoin 
THORChain 
Rekt 
Tokenize Xchange 
ApeCoin 
Mantle Bridged USDT (Mantle) 
Starknet 
Kava 
Reserve Rights 
Circle USYC 
Frax Ether 
Compound 
USDB 
Zebec Network 
Trip 
Polygon PoS Bridged DAI (Polygon POS) 
Sun Token 
Arweave 
DeXe 
dYdX 
NEO 
Polygon PoS Bridged WETH (Polygon POS) 
A mass cryptocurrency heist plan has been identified following different users reporting unauthorized access to their wallet balances on February 14, 2025.
Security firms SlowMist and OKX have released a joint report showing that they have found that a rogue app called BOM was responsible for the attacks.
The study established that BOM was intended to deceive users into providing access to their photo library and local storage. Upon the provision of permissions, the application secretly scanned for screenshots or photos with wallet mnemonic phrases or private keys. The latter were posted to the servers of the attackers.
As per MistTrack, the malware has impacted no less than 13,000 users, with total stolen funds amounting to over $1.82 million. The attackers transferred funds on different blockchains such as Ethereum, BSC, Polygon, Arbitrum, and Base in an attempt to hide their actions.
Malware analysis shows data gathering scheme
Analysis by the OKX Web3 security team showed that the app was built with the UniApp cross-platform framework. This was an architecture designed for extracting sensitive data. BOM asks permission to access the device photo gallery and local files upon installation. The app misleadingly states that permissions are required for the app to work normally.
Decompilation of the app revealed its main purpose centered on retrieving and uploading user information. When users visited the contract page on the app, they activated functions that scanned and gathered media files from the storage of the device. These were packaged and uploaded to a distant remote server managed by the attackers.
The code in the application had functions such as “androidDoingUp” and “uploadBinFa,” whose sole purpose was to download images and videos from the device and upload them to the attackers. The reporting URL employed a domain that was obtained from the app’s local cache; hence, it was not easy for the users to trace the destination of their data.
The scam app also had an anomalous signature subject with random letters (“adminwkhvjv”) instead of the meaningful letters normally used in authentic apps. This aspect also established the app as fraudulent.
On-chain fund analysis traces stolen asset flows
Blockchain analysis of the theft shows fund flows on several networks. The main theft address initiated its initial transaction on February 12, 2025, with the receipt of 0.001 BNB from the address.
On the BSC chain, the attackers made around $37,000 worth of profits, largely in USDC, USDT, and WBTC. The hackers frequently used PancakeSwap to exchange different tokens into BNB. As of now, this address has 611 BNB and around $120,000 worth of tokens, such as USDT, DOGE, and FIL.
The Ethereum network experienced the most theft, losing around $280,000. The majority of these funds resulted from cross-chain ETH transfers from other networks. The attackers deposited 100 ETH into a backup address, to which 160 ETH was transferred from another connected address. Overall, 260 ETH are held at this address with no additional movement.
On Polygon, attackers reaped around $65,000 worth of tokens, including WBTC, SAND, and STG. The majority of these funds were exchanged on OKX-DEX for almost 67,000 POL. Further theft was observed on Arbitrum ($37,000) and Base ($12,000), with the majority of tokens being exchanged for ETH and bridged onto the Ethereum network.
