Trust Wallet Chrome Extension Hack Tied To Millions In Losses

Several users of the Trust Wallet Chrome extension report having their cryptocurrency wallets drained after installing a compromised extension update released on December 24, prompting an urgent response from the company and warnings to affected users.

At the same time, BleepingComputer observed threat actors launching phishing domains that promised a bogus "vulnerability" fix, but instead further drained victim wallets.

On December 24, multiple cryptocurrency users began reporting on social media that funds had been drained from their wallets shortly after interacting with the Trust Wallet Chrome browser extension. Sources including PeckShield Alert estimate the losses from the attack to exceed $6 million worth of stolen cryptocurrency assets.

Trust Wallet is a widely used non-custodial cryptocurrency wallet that allows users to store, manage, and interact with digital assets across multiple blockchains. The wallet is available as a mobile app and as a Chrome browser extension used to interact with decentralized applications (dApps).

"More and more people are complaining about money disappearing from their browser extension immediately after simple authorization... The amount of damage has already exceeded $2 million?" earlier posted a user, while sharing posts from those claiming to be victims of the extension update.

Security analyst Akinator warned everyone to refrain from using the Trust Wallet Chrome extension in the meantime:

BleepingComputer confirmed that Trust Wallet released version 2.68.0 of its Chrome extension on December 24, shortly before reports of wallet drain incidents began surfacing.

As complaints and warnings escalated online, BleepingComputer reached out to Trust Wallet for clarification and confirmation of a possible security incident. While we did not receive an immediate response, we observed that version 2.69 of the Trust Wallet Chrome extension was quietly released shortly afterward on the Chrome Web Store.

Within hours following the incident, security researchers identified suspicious code present in version 2.68.0 of the Trust Wallet Chrome extension.

According to Akinator, the suspicious logic appears in a bundled JavaScript file named 4482.js, which contains tightly packed code that appears to exfiltrate sensitive wallet data to an external server hosted at: api.metrics-trustwallet[.]com.

Source: BleepingComputer