SlowMist finds no key leaks in OKX Web3 wallet, but BOM-style malware and compromised devices keep user-side security the weak link.
Summary
- SlowMist says OKX Web3 Wallet does not transmit private keys or mnemonics to external servers.
- Core wallet credentials are processed locally, as OKX stresses its self-custody design amid rising malware attacks.
- The audit follows SlowMist’s February 2026 review of Binance Wallet and comes after BOM malware stole over $1.82 million from more than 13,000 wallets.
Blockchain security firm SlowMist has issued a new assessment of OKX’s Web3 wallet, concluding that the audited version “shows no behavior transmitting private keys or mnemonic phrases to external servers,” with “no sensitive data leakage risk” identified in its analysis. According to OKX’s own security white paper, the wallet’s underlying system is designed so that “the user’s mnemonic and private key related information are all encrypted and stored locally on the user’s device,” reinforcing its self-custodial model. The findings arrive as wallet security concerns escalate across the industry, and just months after a malicious BOM app was found to have drained over $1.82 million from at least 13,000 crypto wallets by stealing users’ keys.
SlowMist said its security team used a mix of automated tooling and manual reviews “from an attacker’s perspective” to probe OKX Wallet’s code and traffic, similar to the methodology it recently applied in a comprehensive audit of Binance Wallet announced by Binance on X in early February 2026. In that earlier review, SlowMist “conducted an in-depth security audit through manual analysis and automated tools,” with Binance saying the exercise aimed to “ensure the highest level of security” for users managing digital assets.
OKX founder and CEO Star Xu has repeatedly argued that recent wallet incidents stem from compromised user devices, not flaws in the OKX Web3 wallet itself. “The risk originates from compromised user devices rather than the OKX Web3 wallet,” Star said in March, emphasizing that private keys and passwords are “stored only on user devices,” making endpoint hygiene critical. OKX also notes its Web3 stack has been audited by firms including CertiK, Hacken and SlowMist and hardened through a bug bounty program, framing third‑party reviews as part of a layered defense strategy.
The renewed scrutiny follows a joint investigation in February 2025, when SlowMist and OKX Web3 Security disclosed that a fake app called BOM had “secretly accessed users’ private keys and mnemonic phrases,” ultimately stealing “over $1.82 million in crypto” from victims across Android and iOS. SlowMist tracked one primary hacker address siphoning funds from more than 13,000 wallets, moving assets such as Tether (USDT), Ethereum (ETH), Wrapped Bitcoin (WBTC) and Dogecoin (DOGE) across BNB Chain, Ethereum, Polygon, Arbitrum and Base. In a separate report, the firm warned that private key leaks, phishing and fraud schemes remained key weak points, after its MistTrack team logged 467 stolen fund cases and froze roughly $20.66 million in just one quarter.
SlowMist has cautioned that even well‑designed wallets can become vulnerable when users install Trojanized apps or grant excessive permissions, allowing attackers to “scan and collect media files” and exfiltrate mnemonic phrases or key backups. OKX and SlowMist jointly urged users to avoid storing seed phrases via screenshots, photos or cloud services and instead rely on offline methods such as paper backups or hardware wallets.
Within this context, the latest OKX Wallet assessment is being framed as a trust signal rather than a guarantee, underscoring that infrastructure audits and self‑custody designs must still be paired with basic operational security on the user side. As SlowMist’s broader analysis shows, fake wallets, compromised devices and social engineering remain among the most efficient ways for attackers to turn even the strongest wallet architectures into exploitable weak links.
