Trust Wallet Hack: $7 Million Stolen in Extension Attack
▼ Summary
– Trust Wallet confirmed a compromised Chrome extension update (version 2.68.0) released on December 24 led to the theft of at least $7 million in cryptocurrency.
– The malicious code in the update secretly exfiltrated sensitive wallet data, like seed phrases, to a suspicious external domain registered just days before the incident.
– In a parallel attack, threat actors launched phishing sites that impersonated Trust Wallet to trick users into surrendering their recovery seed phrases.
– Trust Wallet advised affected users to immediately update to the fixed version 2.69 and to disable the compromised extension until doing so.
– The company stated Binance founder CZ confirmed the stolen funds would be covered and that only the Chrome extension version 2.68.0 was affected, not mobile apps.
A significant security breach involving the Trust Wallet Chrome extension has resulted in the theft of an estimated $7 million in cryptocurrency. The incident stemmed from a compromised update released on December 24, which contained malicious code designed to steal sensitive wallet data. Binance founder Changpeng “CZ” Zhao publicly confirmed the hack and stated that Trust Wallet would cover the losses, assuring users that their funds are secure. The attack underscores the critical vulnerabilities that can exist within browser extensions and digital wallet infrastructure.
Reports began flooding social media on Christmas Eve as users discovered their wallets had been drained shortly after interacting with the extension. Trust Wallet, a popular non-custodial wallet for managing digital assets across blockchains, quickly identified the issue with version 2.68.0 of its Chrome extension. The company urged all users to immediately update to the patched version 2.69. Security analysts investigating the compromised code discovered a bundled JavaScript file that contained logic to exfiltrate private wallet information, including seed phrases, to an external server. The data was sent to a suspicious domain, `metrics-trustwallet[.]com`, which had been registered just days before the attack and bore no legitimate connection to the wallet provider.
In a troubling escalation, threat actors simultaneously launched a phishing campaign to exploit user panic. Multiple social media accounts directed concerned individuals to a fraudulent website, `fix-trustwallet[.]com`, which mimicked Trust Wallet’s branding. The site falsely claimed to offer a fix for a security vulnerability but instead prompted visitors to enter their wallet recovery seed phrase, a master key that would grant attackers complete control. WHOIS records indicate this phishing domain was registered through the same registrar as the malicious metrics domain, strongly suggesting the operations are linked.
For users of the Trust Wallet Chrome extension, immediate action is required. The only affected version is 2.68.0; all other versions, including the mobile application, remain secure. Trust Wallet’s official guidance is to not open the browser extension until it has been updated. Users should navigate to their Chrome extensions panel, disable the Trust Wallet extension, ensure developer mode is activated, and manually trigger an update to confirm they are on version 2.69. Anyone who interacted with the compromised extension or the phishing site must assume their recovery phrase is compromised. The safest course of action is to move any remaining funds to a brand-new wallet generated from a fresh, never-before-used seed phrase. Trust Wallet has stated its support team is contacting impacted users to discuss next steps, while others with concerns are directed to the official support portal. This event serves as a stark reminder of the importance of verifying update sources and never entering seed phrases on any website, regardless of how legitimate it may appear.
(Source: Bleeping Computer)
