Original Title: "Trust Wallet Plugin Version Attacked, Loss Exceeds $6 Million, Official Urgently Releases Patch"
Original Author: ChandlerZ, Foresight News
On the morning of December 26, Trust Wallet issued a security alert, confirming that version 2.68 of the Trust Wallet browser extension has a security vulnerability. Users of version 2.68 should immediately disable the extension and upgrade to version 2.69 via the official Chrome Web Store link.
According to Pionex monitoring, hackers exploiting the Trust Wallet vulnerability have stolen over $6 million in crypto assets from victims.
Currently, approximately $2.8 million of the stolen funds remain in the hackers' wallets (Bitcoin / EVM / Solana), while over $4 million in crypto assets have been transferred to centralized exchanges, specifically: about $3.3 million to ChangeNOW, about $340,000 to FixedFloat, and about $447,000 to Kucoin.
As the number of affected users surged, a code audit of Trust Wallet version 2.68 was promptly initiated. The security analysis team SlowMist discovered that hackers had implanted a seemingly legitimate data collection code, turning the official plugin into a privacy-stealing backdoor by comparing the source code differences between version 2.68.0 (the infected version) and 2.69.0 (the patched version).
Analysis: Trust Wallet Related Developers' Devices or Code Repositories May Have Been Compromised
According to the SlowMist security team, the core vehicle of this attack has been confirmed as the Trust Wallet browser extension version 2.68.0. By comparing the patched version 2.69.0, security personnel found a highly disguised piece of malicious code in the old version. As shown in the images.
The backdoor code added a PostHog to collect various privacy information from wallet users (including mnemonic phrases) and send it to the attacker's server api.metrics-trustwallet [.] com.
Based on code changes and on-chain activities, SlowMist provided an estimated timeline for the attack:
· December 08: The attacker began related preparations;
· December 22: Successfully launched the infected version 2.68 with the implanted backdoor;
· December 25: Taking advantage of the Christmas holiday, the attacker began transferring funds based on the stolen mnemonic phrases, leading to the exposure of the incident.
Additionally, SlowMist's analysis suggests that the attacker appears to be very familiar with the source code of the Trust Wallet extension. Notably, while the current patched version (2.69.0) has cut off the malicious transmission, it has not removed the PostHog JS library.
At the same time, SlowMist's Chief Information Security Officer 23pds stated on social media, "After analysis by SlowMist, there is reason to believe that the devices or code repositories of Trust Wallet related developers may have been compromised. Please disconnect from the internet and investigate the relevant personnel's devices in a timely manner." He pointed out, "Users affected by the Trust Wallet version must first disconnect from the internet, then export their mnemonic phrases to transfer assets; otherwise, opening the wallet online will result in asset theft. Those with mnemonic phrase backups must transfer assets first before upgrading the wallet."
Plugin Security Incidents Are Common
It was also noted that the attacker seems very familiar with the Trust Wallet extension source code, implanting PostHog JS to collect various information from users' wallets. Currently, the Trust Wallet patched version has not removed PostHog JS.
This incident of the official Trust Wallet version turning into a Trojan has led the market to recall several high-risk attacks on hot wallet frontends in recent years. From attack methods to vulnerability causes, these cases provide important reference coordinates for understanding this incident.
· When Official Channels Are No Longer Safe
The Trust Wallet incident is most similar to attacks on software supply chains and distribution channels. In such incidents, users not only do not make mistakes but are even victimized for downloading "genuine software."
Ledger Connect Kit Poisoning Incident (December 2023): The frontend code repository of hardware wallet giant Ledger was compromised by hackers through phishing methods, uploading a malicious update package. This led to the contamination of multiple leading dApp frontends, including SushiSwap, which displayed fake connection windows. This incident is regarded as a textbook case of "supply chain attack," proving that even companies with excellent security reputations can have their Web2 distribution channels (such as NPM) become high-risk single points of failure.
Hola VPN and Mega Extension Hijacking (2018): As early as 2018, the developer account of the well-known VPN service Hola was hacked. The hacker pushed an "official update" containing malicious code specifically to monitor and steal MyEtherWallet users' private keys.
· Code Defects: The "Naked Running" Risk of Mnemonic Phrases
In addition to external poisoning, the implementation flaws in wallets when handling sensitive data such as mnemonic phrases and private keys can also lead to large-scale asset losses.
Slope Wallet Log System Collecting Sensitive Information Controversy (August 2022): A large-scale theft incident occurred in the Solana ecosystem, and one of the focal points of the subsequent investigation report pointed to the Slope wallet, which sent private keys or mnemonic phrases to Sentry's service in a certain version (the Sentry service refers to the Sentry service privately deployed by the Slope team, not the interface and service provided by Sentry officially). However, security companies also analyzed that the investigation into the Slope wallet application has not yet been able to clearly prove that the root cause of the incident lies with the Slope wallet, and a lot of technical work needs to be completed, requiring further evidence to explain the fundamental cause of this incident.
Trust Wallet Low Entropy Key Generation Vulnerability (disclosed as CVE-2023-31290, exploit traceable to 2022/2023): The Trust Wallet browser extension was disclosed to have a randomness issue: attackers could exploit the enumerability brought by a mere 32-bit seed to efficiently identify and derive potentially affected wallet addresses within a specific version range, thereby stealing funds.
· The Game Between "Li Kui" and "Li Gui"
Extension wallets and browser search ecosystems have long been plagued by fake plugins, fake download pages, fake update pop-ups, and fake customer service messages, creating gray industry chains. Once users install from unofficial channels or input mnemonic phrases/private keys on phishing pages, they may instantly lose all their assets. When incidents evolve to the point where risks may also arise from official versions, users' security boundaries are further compressed, and secondary scams often surge amid the chaos.
As of the time of publication, Trust Wallet has urged all affected users to complete version updates as soon as possible. However, with the ongoing movement of stolen funds on-chain, the aftermath of this "Christmas heist" is clearly not over.
Whether it is Slope's plaintext logs or Trust Wallet's malicious backdoor, history is always remarkably similar. This serves as a reminder to every crypto user not to blindly trust any single software terminal. Regularly check authorizations, diversify asset storage, and remain vigilant against abnormal version updates may be the survival rules for navigating the dark forest of crypto.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
