Overview
- Trust Wallet says exposed GitHub secrets and a leaked Chrome Web Store API key let an attacker access source code and publish the trojanized v2.68 without internal approval.
- The malicious build harvested wallet seed phrases on every unlock by hiding them in an “errorMessage” telemetry field and exfiltrated data to metrics-trustwallet[.]com.
- Investigators report roughly $8.5 million was drained from 2,520 wallets and moved into at least 17 attacker-controlled addresses.
- The company rolled back the extension, released a clean v2.69, revoked release APIs and CWS access, and had the malicious domains suspended by registrar NiceNIC.
- Claims-based reimbursements are under review as researchers continue tracing the funds, and users are warned about impostor support accounts and fake compensation forms.