Original title: Trust Wallet Plugin Version Attacked, Losses Exceed $6 Million; Official Patch Released Urgently
Original author: ChandlerZ, Foresight News
On the morning of December 26, Trust Wallet issued a security alert, confirming a security vulnerability in Trust Wallet browser extension version 2.68. Users of version 2.68 should immediately disable the extension and upgrade to version 2.69. Please upgrade via the official Chrome Web Store link.
According to PyShield's monitoring, hackers have stolen more than $6 million in crypto assets from victims in the Trust Wallet vulnerability exploit.
Currently, approximately $2.8 million of the stolen funds remain in the hacker's wallets (Bitcoin / EVM / Solana), while over $4 million of crypto assets have been transferred to centralized exchanges, specifically: approximately $3.3 million to ChangeNOW, approximately $340,000 to FixedFloat, and approximately $447,000 to Kucoin.
As the number of affected users surged, a code audit of Trust Wallet version 2.68 was launched. The security analysis team SlowMist, by comparing the source code differences between 2.68.0 (the infected version) and 2.69.0 (the patched version), discovered that hackers had implanted a seemingly legitimate data collection code, turning the official plugin into a backdoor for stealing privacy.
Analysis: The devices or code repositories of developers associated with Trust Wallet may have been compromised by attackers.
According to analysis by the SlowMist security team, the core vector for this attack was identified as Trust Wallet browser extension version 2.68.0. By comparing the patched version 2.69.0, security researchers discovered a highly disguised piece of malicious code in the older version. (See image).
The backdoor code adds a PostHog to collect various private information of wallet users (including seed phrase) and sends it to the attacker's server api.metrics-trustwallet[.] com.
Based on code changes and on-chain activity, SlowMist has provided an estimated timeline for this attack:
December 8th: Attackers begin their preparations.
December 22: Successfully released version 2.68 with the implanted backdoor;
December 25: Taking advantage of the Christmas holiday, attackers began transferring funds based on stolen seed phrase, after which the incident was exposed.
Furthermore, SlowMist analysis suggests that the attackers appear to be very familiar with the Trust Wallet extension source code. It's worth noting that while the current patch (2.69.0) stopped the malicious transmission, it did not remove the PostHog JS library.
Meanwhile, 23pds, Chief Information Security Officer of SlowMist Technology, posted on social media, "Based on SlowMist's analysis, there is reason to believe that the devices or code repositories of Trust Wallet developers may have been compromised by attackers. Please disconnect from the internet immediately and check the devices of relevant personnel." He further pointed out, "Users of affected versions of Trust Wallet must disconnect from the internet first, then export seed phrase to transfer assets; otherwise, opening the wallet online will result in asset theft. Seed phrase backup must transfer assets first before upgrading their wallet."
Plugin security incidents occur frequently
The report also points out that the attackers appear to be very familiar with the Trust Wallet extension source code, having injected PostHog JS to collect various information from users' wallets. The current Trust Wallet fix does not remove PostHog JS.
The fact that the official version of Trust Wallet was compromised by malware has brought to mind several high-risk attacks targeting hot wallet front-ends in recent years. From attack methods to the causes of vulnerabilities, these cases provide important reference points for understanding this incident.
When official channels are no longer safe
The most similar attacks to the Trust Wallet incident are those targeting the software supply chain and distribution channels. In these cases, users not only did nothing wrong, but were even harmed because they downloaded "legitimate software."
The Ledger Connect Kit poisoning incident (December 2023): Hardware wallet giant Ledger's front-end codebase was compromised by hackers who gained access via phishing and uploaded a malicious update package. This resulted in the front-ends of several leading dApps, including SushiSwap, being poisoned, displaying fake connection windows. This incident is considered a textbook case of a "supply chain attack," demonstrating that even for companies with excellent security reputations, their Web2 distribution channels (such as NPM) remain high-risk points of failure.
Hola VPN and Mega Extension Hijacking (2018): Back in 2018, the Chrome extension developer account of the well-known VPN service Hola was hacked. The hackers pushed out an "official update" containing malicious code specifically designed to monitor and steal the private keys of MyEtherWallet users.
• Code flaws: The risk of seed phrase being "naked"
Besides external poisoning, flaws in the wallet's handling of sensitive data such as seed phrase and private key materials can also lead to large-scale asset losses.
Slope Wallet Log System Controversy Over Sensitive Information Collection (August 2022): A large-scale cryptocurrency theft occurred within the Solana ecosystem. Subsequent investigations pointed to the Slope wallet as a key factor, alleging that a version of the wallet sent private keys or seed phrase to Sentry's service (Sentry refers to a service privately deployed by the Slope team, not an official Sentry interface or service). However, security firms have also analyzed that the investigation into the Slope wallet application so far has not definitively proven that the root cause of the incident lay with the Slope wallet. Significant technical work remains to be done, and further evidence is needed to explain the underlying cause of this incident.
Trust Wallet Low-Entropy Key Generation Vulnerability (Disclosed as CVE-2023-31290, exploit traceable back to 2022/2023): The Trust Wallet browser extension has been disclosed to have insufficient randomness: attackers can exploit the enumerability provided by the 32-bit seed to efficiently identify and deduce potentially affected wallet addresses within a specific version range, thereby stealing funds.
The battle between the genuine and the counterfeit.
The extended wallet and browser search ecosystem has long been plagued by a gray market chain involving fake plugins, fake download pages, fake update pop-ups, and fake customer service private messages. Once users install these plugins through unofficial channels or enter seed phrase/private keys on phishing pages, their assets can be instantly wiped out. When the situation escalates to the point where even the official version may be at risk, users' security boundaries are further compressed, and secondary scams often surge amidst the chaos.
As of press time, Trust Wallet has urged all affected users to update their devices as soon as possible. However, with the continued unusual movement of the stolen funds on the blockchain, the aftermath of this "Christmas heist" is clearly not over.
Whether it's Slope's plaintext logs or Trust Wallet's malicious backdoor, history always seems to repeat itself. This serves as a stark reminder to every crypto user: never blindly trust any single software endpoint. Regularly checking authorizations, distributing assets across different storage locations, and remaining vigilant for unusual version updates are perhaps the keys to survival in the crypto dark forest.
