SlowMist testing does not detect private key leaks from OKX Wallet

SlowMist doesn’t detect significant leaks in the OKX Web3 wallet, but BOM-style malware and compromised devices that maintain security on the user’s side are the weak link.

Blockchain security company SlowMist released a new evaluation of OKX’s Web3 wallet, concluding that the tested version “does not exhibit behavior that sends private keys or mnemonic phrases to external servers,” “no serious risk of data leakage” was identified in its analysis. According to OKX’s own security white paper, the wallet’s subsystem is designed so that “information related to the user’s mnemonic key and secret is encrypted and stored locally on the user’s device,” reinforcing its self-storage model. The results come as wallet security concerns grow across the industry, and just months after a malicious BOM app was found to have siphoned more than $1.82 million from at least 13,000 crypto wallets by stealing user keys.

SlowMist said its security team used a combination of automated tools and manual reviews “from an attacker’s point of view” to investigate OKX Wallet code and traffic, similar to the approach it recently used in a comprehensive Binance Wallet audit announced by Binance on X in early February 2026. In the former, SlowMist automatically analyzes testing tools and automatically “runs security tools” by default. Binance says the operation aims to “ensure a high level of security” for users holding digital assets.

OKX founder and CEO Star Xu has repeatedly denied that the latest wallet incidents are from compromised user devices, not errors of the OKX Web3 wallet itself. “The risk comes from vulnerable user devices rather than the OKX Web3 wallet,” Star said in March, stressing that private keys and passwords are “only stored on user devices,” making storage hygiene extremely important. OKX also notes that its Web3 stack has been tested by firms including CertiK, Hacken and SlowMist and hardened with a bug bounty program, framing third-party reviews as part of a layered security strategy.

The renewed scrutiny follows a joint investigation in February 2025, when SlowMist and OKX Web3 Security revealed that a fake app called BOM “secretly accessed users’ private keys and mnemonic phrases,” eventually stealing “more than $1.82 million in crypto” from victims across Android and iOS. SlowMist tracked down a single master hacker address withdrawing funds from over 13,000 wallets, moving assets such as Tether (USDT), Ethereum (ETH), Wrapped Bitcoin (WBTC) and Dogecoin (DOGE) across the BNB Chain, Ethereum, Polygon, Arbitrum and Base. In a separate report, the company warned that private key leaks, phishing and fraud programs remain key weak points, after its MistTrack team logged 467 cases of stolen funds and stopped nearly $20.66 million in just one quarter.

SlowMist warned that even well-designed wallets can be vulnerable when users install Trojan apps or grant excessive permissions, allowing attackers to “scan and collect media files” and extract mnemonic phrases or important backups. OKX and SlowMist jointly urged users to avoid saving seed phrases via screenshots, images or cloud services and instead rely on offline methods such as paper backups or hardware wallets.

Within this context, the latest test of OKX Wallet is carried out independently as a signal of trust instead of a guarantee, which emphasizes that the audit of the infrastructure and commitment projects should be combined with the basic security of the operation on the part of the user. As SlowMist’s extensive analysis shows, fake wallets, vulnerable devices and social engineering remain one of the most effective methods for attackers to turn even the strongest wallet structures into exploitable weak links.