A sneaky mobile app called BOM has made off with over $1.82 million in cryptocurrency, pilfering private keys and mnemonic phrases right from users’ devices.
Blockchain security pros at SlowMist and OKX Web3 Security blew the lid off this scam in a February 27 report, tracing the first shady transactions back to February 14.
Digging into the blockchain trails, the experts found BOM wasn’t just a dud—it was a full-on trap. The app tricked users into handing over file access with a flimsy excuse, then rifled through their device storage, snatched sensitive wallet info, and beamed it to a remote server. On iOS, it’d pop up asking for permissions to photos and media, claiming it was “necessary for normal operation.” SlowMist wasn’t buying it: “For a blockchain app, needing your photo gallery? That’s highly suspicious.”
The damage spread wide. SlowMist tracked the loot to a main hacker address (0x49aDd3E…), which hit at least 13,000 victims across chains like BNB Chain, Ethereum, Polygon, Arbitrum, and Coinbase’s Base. The haul included big names—Tether, Ethereum, Wrapped Bitcoin, even Dogecoin—all siphoned off in the blink of an eye.
