Trust Wallet has reported a security incident, coinciding with one of its latest updates. On-chain researcher ZachXBT identified over $6M in stolen funds. Trust Wallet noted that the incident was connected to the browser extension version 2.68.
The platform warned users to disable the extension and move to version 2.69. However, users on mobile were not impacted by the breach. Trust Wallet was in the news after adding native prediction markets. Previously, the wallet served as a one-stop hub for all Web3 activities.
Binance’s founder and former CEO Changpeng ‘CZ’ Zhao immediately reacted to the incident, stating all users would be compensated. The Trust Wallet team is still investigating how the exploiters managed to submit a flawed version to the app store for downloads under the official wallet brand.
Trust Wallet suffers security breach
The initial wallet draining was noted soon after the update from December 24, with the exploit continuing for days before being detected by ZachXBT. Initially, users were urged not to use the extension while salvaging funds via the desktop or mobile versions. The problems emerged only when inputting private seeds into the flawed extension.
In addition, ZachXBT identified Ethereum, Bitcoin, and Solana wallets affected by the exploit. According to his data, hundreds of wallets were affected. Trust Wallet has announced that the losses will be compensated. ZachXBT has not mentioned if the exploit has compromised the private keys themselves, but users may have to generate new wallets.
Some of the affected addresses lost small amounts of BTC after years of holding. On ETH, the exploiter aggregated tokens into several intermediary addresses. Later, some of the Trust Wallet exploiter wallets sent out the funds to exchanges. The exploiter used ChangeNOW, FixedFloat, as well as high-profile exchanges like KuCoin and HTX.
Most of the destination wallets have been flagged. Some of the addresses contain only a few hundred dollars, while others have accumulated as much as $49,000. In the end, the hack estimates reached $6.77M, with around $2.35M remaining in all of the exploiter’s known addresses after moving and swapping funds.
