Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Trust Wallet. Show all posts
Trust Wallet
Chrome Cloud Data Google Internet Technology Trust Wallet

Trust Wallet Chrome Extension Hack Costs $8.5 Million Theft


Chrome extension compromise resulted in millions of theft

Trust Wallet recently disclosed that the Sha1-Hulur supply chain attack last year in November might be responsible for the compromise of its Google Chrome extension, causing $8.5 million assets theft. 

About the incident

According to the company, its "developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key." The attacker obtained full CWS API access via the leaked key, allowing builds to be uploaded directly without Trust Wallet's standard release process, which requires internal approval/manual review."

Later, the threat actor registered the domain "metrics-trustwallet[.]com" and deployed a malware variant of the extension with a backdoor that could harvest users' wallet mnemonic phrases to the sub-domain "api.metrics-trustwallet[.]com."

Attack tactic 

According to Koi, a cybersecurity company, the infected code activates with each unlock causing sensitive data to be harvested. It doesn't matter if the victims used biometrics or password, and if the wallet extension was opened once after the 2.68 version update or in use for months. 

The researchers Yuval Ronen and Oren Yomtov reported that, "the code loops through every wallet in the user's account, not just the active one. If you had multiple wallets configured, all of them were compromised. Seed phrases are stuffed into a field called errorMessage inside what looks like standard unlock telemetry. A casual code review sees an analytics event tracking unlock success with some error metadata."

Movie “Dune” reference? Yes.

Besides this, the analysis also revealed that querying the server directly gave the reply "He who controls the spice controls the universe." It's a Dune reference that is found in similar incidents like the Shai-Hulud npm. "The Last-Modified header reveals the infrastructure was staged by December 8 – over two weeks before the malicious update was pushed on December 24," it added. "This wasn't opportunistic. It was planned."

The findings came after Trust Wallet requested its one million users of Chrome extension to update to variant 2.69 after a malicious update (variant 2.68) was triggered by unknown hackers on December 24, 2025, in the browser's extension marketplace. 

The breach caused $8.5 million loss in cryptocurrency assets being stolen from 2,520 wallet addresses. The wallet theft was first reported after the malicious update.

Control measures 

Post-incident, Trust Wallet has started a reimbursement claim process for affected victims. The company has implemented additional monitoring measures related to its release processes.


Read more »
Trust Wallet
Crypto Currency Cyber Attacks MetaMask Phishing scam Trust Wallet

Trust Wallet & MetaMask Crypto Wallets: Targeted by New Support Scam

 

Users of Trust Wallet and MetaMask wallets are the targets of ongoing malicious Twitter phishing attacks aimed at stealing cryptocurrency funds. MetaMask and Trust Wallet are mobile apps that enable users to create wallets to store, buy, send, and receive cryptocurrency and NFTs. 

When users first open the MetaMask or Trust Wallet apps, they are prompted to create a new wallet. The app then displays a 12-word recovery phrase and encourages users to save it somewhere safe as part of this procedure. This recovery phrase is used by the apps to generate the private keys needed to enter the wallet. Anyone who knows the recovery phrase can import the wallet and access the cryptocurrency funds it contains. 

BleepingComputer has been monitoring a Twitter phishing scam that targets Trust Wallet and MetaMask users and steals cryptocurrency wallets by spreading fake technical support forms for the past two weeks. The phishing scam begins with authentic MetaMask or Trust Wallet users tweeting about a problem with their wallets. Theft of money, problems accessing their wallets, and problems using the apps are all examples of these problems. 

Scammers respond to these tweets by posing as members of the app's support team or users who claim that "Instant support" helped them with the same problem. Users are encouraged to fill out a support form by visiting the included docs.google.com or forms.app links. 

Users who click on these links will be taken to a page that looks like a help form for Trust Wallet or MetaMask. These forms ask for the visitor's email address, name, the problem they're having, and then the scam's crown jewel: the wallet's 12 recovery phrases. Threat actors may use a Trust Wallet or MetaMask user's recovery phrase to import the victim's wallet on their own devices and steal all of the deposited cryptocurrency funds.

Unfortunately, there is nothing that a user can do to recover funds after they have been stolen by a threat actor. Phishing scams involving cryptocurrency have previously been extremely popular, with one MetaMask user losing over $30,000 in cryptocurrency after sharing their recovery phrase. 

The Trust Wallet and MetMask users should never share their wallet's recovery phrase or type it into any app or website. Furthermore, for help requests, a legitimate organization would not use Google Docs or online form-building sites. Just seek assistance from the specific pages affiliated with the app or computer you're having trouble with. 

When it comes to cryptocurrencies and financial assets, the user should always type the URL they wish to visit into their browser rather than relying on links in emails, as it is simple to build lookalike domains that impersonate legitimate sites. This way, users can avoid mistakenly clicking on phishing sites that impersonate a legitimate service.
Read more »
Subscribe to: Comments (Atom)