Trust Wallet confirmed that a compromised Chrome extension update released on December 24 led to $7 million in stolen cryptocurrency after users reported their wallets drained.
"So far, $7m affected by this hack. TrustWallet will cover. User funds are SAFU. Appreciate your understanding for any inconveniences caused," posted Binance founder Changpeng "CZ" Zhao on X.
"The team is still investigating how hackers were able to submit a new version."
At the same time, BleepingComputer observed threat actors launching phishing domains that promised a bogus "vulnerability" fix, but instead further drained victim wallets.
Wallets drained after Christmas Eve update
On December 24, multiple cryptocurrency users began reporting on social media that funds had been drained from their wallets shortly after interacting with the Trust Wallet Chrome browser extension. It has now been confirmed that at least $7 million in crypto was stolen in the supply chain attack.
Trust Wallet is a widely used non-custodial cryptocurrency wallet that allows users to store, manage, and interact with digital assets across multiple blockchains. The wallet is available as a mobile app and as a Chrome browser extension used to interact with decentralized applications (dApps).
"More and more people are complaining about money disappearing from their browser extension immediately after simple authorization... The amount of damage has already exceeded $2 million?" earlier posted a user, while sharing posts from those claiming to be victims of the extension update.
Security analyst Akinator warned everyone to refrain from using the Trust Wallet Chrome extension in the meantime:
Security analyst @0xakinator alerts everyone on X
... continue reading