Christmas scam: how Trust Wallet users were robbed

On December 26, information appeared that funds had been stolen from a number of Trust Wallet users. Shortly thereafter, the company itself confirmed the problem and reported that a serious security vulnerability had been discovered in version 2.68 of the Trust Wallet browser extension. Anyone who had this version installed was advised to immediately disable it and upgrade to a newer version. GetBlock AML Research explains how attackers managed to carry out an attack on the popular crypto wallet.

How the attack was carried out

The essence of the problem was that malicious code had been secretly added to the specified version of the program. This code quietly accessed all wallets stored in the extension and extracted secret words from them, the so-called seed phrase. These words are the complete “key” to the wallet: knowing them allows you to control the money without restrictions. When the user opened the wallet and entered the password, the program decrypted the secret data and sent it to the attackers’ server. Outwardly, this did not manifest itself in any way, and the user saw neither warnings nor confirmation requests.

Once they obtained the seed phrase, the attackers took complete control of the wallet and transferred the funds to other addresses. The money was quickly moved between different services and networks to cover their tracks.

The attack was prepared in advance. The server to which the stolen data was sent appeared in early December, and the first signs of theft coincided with the release of the problematic version of the extension. This indicates that what happened was not an accidental error or technical failure. This was a targeted and professionally organized intervention in the program’s code itself, rather than an infection via third-party add-ons.

Where did the users’ funds go?

According to Trust Wallet developers’ estimates, the hacker attack affected 2596 wallets and caused $7 million in damages. The Trust Wallet team promised to compensate users for their losses from the hack. The stolen funds were immediately sent to centralized exchanges (KuCoin) and exchangers (ChangeNOW and FixedFloat).

Scheme for laundering stolen funds. Visualization: MistTrack.

The main conclusion from this situation is that the threat was inside the official update, not in the actions of users. Therefore, a regular program update does not always guarantee security. If the Trust Wallet browser extension has ever been installed, such a wallet can no longer be considered completely reliable. Even if the funds remain in place for now, there is a risk that third parties have already gained access to them. In such cases, it is recommended to consider the old wallet compromised and transfer the funds as quickly as possible to a new one created in another application, then delete the vulnerable extension.