HomeBreaking NewsTrustWallet Hack Explained: From Update to Wallet Drains worth $4M in $TWT,...
Trust Wallet Hack Explained: The Update That Drained Wallets
Trust Wallet Hack Explained: The Update That Drained Wallets
Breaking NewsEducationHackedNewsReview

TrustWallet Hack Explained: From Update to Wallet Drains worth $4M in $TWT, BTC, ETH

Antony Jackson
By Antony Jackson

-

36
0
$LYNO PRESALE : AI-Powered Arbitrage Engine

What Exactly Happened in the Trust Wallet Hack

Step 1: A New Browser Extension Update Was Released

A new update for the Trust Wallet browser extension was released on December 24.

  • The update seemed routine.
  • No major security warnings came with it.
  • Users installed it through the usual update process.

At this point, nothing seemed suspicious.

Step 2: New Code Was Added to the Extension

After the update, researchers looking into the extension’s files noticed changes in a JavaScript file known as 4482.js.

Key observation:

  • The new code was not in earlier versions.
  • It introduced network requests linked to user actions.

This matters because browser wallets are very sensitive environments; any new outgoing logic poses a high risk.

Step 3: Code Masqueraded as “Analytics”

The added logic appeared as analytics or telemetry code.

Specifically:

  • It looked like tracking logic used by common analytics SDKs.
  • It did not trigger all the time.
  • It activated only under certain conditions.

This design made it harder to detect during casual testing.

Step 4: Trigger Condition Importing a Seed Phrase

Community reverse-engineering suggests the logic was triggered when a user imported a seed phrase into the extension.

Why this is critical:

  • Importing a seed phrase gives the wallet full control.
  • This is a one-time, high-value moment.
  • Any malicious code only needs to act once.

Users who only used existing wallets may not have triggered this path.

Step 5: Wallet Data Was Sent Externally

When the trigger condition occurred, the code allegedly sent data to an external endpoint:

metrics-trustwallet[.]com

What raised alarms:

  • The domain looked a lot like a legitimate Trust Wallet subdomain.
  • It was registered only days earlier.
  • It was not publicly documented.
  • It later went offline.

At least, this confirms unexpected outgoing communication from the wallet extension.

Step 6: Attackers Acted Immediately

Shortly after seed phrase imports, users reported:

  • Wallets drained within minutes.
  • Multiple assets moved quickly.
  • No further user interaction was needed.

On-chain behavior showed:

  • Automated transaction patterns.
  • Multiple destination addresses.
  • No obvious phishing approval flow.

This suggests attackers already had enough access to sign transactions.

Step 7: Funds Were Consolidated Across Addresses

Stolen assets were routed through several attacker-controlled wallets.

Why this matters:

  • It suggests coordination or scripting.
  • It reduces reliance on a single address.
  • It matches behavior seen in organized exploits.

Estimates based on tracked addresses suggest millions of dollars moved, although totals vary.

Step 8: The Domain Went Dark

After attention increased:

  • The suspicious domain stopped responding.
  • No public explanation followed immediately.
  • Screenshots and cached evidence became crucial.

This is consistent with attackers destroying infrastructure once exposed.

Step 9: Official Acknowledgment Came Later

Trust Wallet later confirmed:

  • A security incident affected a specific version of the browser extension.
  • Mobile users were not affected.
  • Users should upgrade or disable the extension.

However, no full technical breakdown was given right away to explain:

  • Why the domain existed.
  • Whether seed phrases were exposed.
  • Whether this was an internal, third-party, or external issue.

This gap fueled ongoing speculation.

What Is Confirmed

  • A browser extension update introduced new outgoing behavior.
  • Users lost funds shortly after importing seed phrases.
  • The incident was limited to a specific version.
  • Trust Wallet acknowledged a security issue.

What Is Strongly Suspected

  • A supply-chain issue or malicious code injection.
  • Seed phrases or signing ability being exposed.
  • The analytics logic being misused or weaponized.

What Is Still Unknown

  • Whether the code was intentionally malicious or compromised upstream.
  • How many users were affected.
  • Whether any other data was taken.
  • Exact attribution of the attackers.

Why This Incident Matters

This was not typical phishing.

It highlights:

  • The danger of browser extensions.
  • The risk of blindly trusting updates.
  • How analytics code can be misused.
  • Why handling seed phrases is the most critical moment in wallet security.

Even a short-lived vulnerability can have serious consequences.

FOLLOW US

Antony Jackson
Antony Jackson

Most Popular

LiveBitcoinNews is a leading online platform dedicated to providing the latest news and insights about Bitcoin and the broader cryptocurrency market. It offers timely updates on market trends, regulatory developments, technological advancements, and expert analyses, catering to both seasoned investors and newcomers in the digital currency space. The site features a variety of content, including articles, guides, interviews, and opinion pieces, making it a comprehensive resource for anyone interested in staying informed about the rapidly evolving world of cryptocurrencies.

Contact us: support@livebitcoinnews.com
Official Press Kit : Press Kit

© Copyright - Livebitcoinnews.com

Banner