Trust Wallet has earned its place as one of the world’s premier crypto wallets, maintaining an impressive security record until a recent incident shook its foundation.
As history has shown, even the mightiest fortresses, like Troy, can be vulnerable to crafty adversaries.
Even so, analyzing the entire Trust Wallet activity, it is still a reasonably safe wallet.
This article will delve into the unfortunate hacking event that impacted Trust Wallet, explore related allegations, provide insights on detecting potential threats, and equip you with essential measures to safeguard your assets while confidently utilizing Trust Wallet.
What is Trust Wallet?
Trust Wallet is a non-custodial wallet that provides its users complete control over cryptocurrencies and NFTs and also is the official wallet of the Binance Exchange.
It boasts support for over 70 blockchains and hosts a vast array of more than 9 million digital assets.
The unique feature of Trust Wallet lies in its seamless integration with decentralized applications (DApps), enabling secure interactions with diverse DApps across various blockchains.
With Trust Wallet, users enjoy a lot of functionalities, such as purchasing, sending, receiving, staking, trading, and storing cryptocurrencies.
Operating as a hot wallet connected to the internet, it offers unparalleled flexibility for asset management at any time and from any location.
Trust Wallet is a favored choice for free crypto airdrops and is readily accessible on Android, iOS, and as a browser extension.
Was Trust Wallet Hacked?
In the past 12 months (from July 2022 to July 2023), Trust Wallet has faced several critical incidents and accusations involving money losses caused by hackers or security breaches.
So, yes, we can say that Trust Wallet has experienced hacking incidents. But not all of these cases were the fault of the wallet, and below we will expose the most recent accusations of the last year, and we will show where there is a problem with the wallet and where there is not.
The first incident involved a vulnerability affecting wallet addresses created through the browser extension from November 14 to 23, resulting in a loss of nearly $170,000.
1/10 Trust Wallet is built on security & trust. So we're sharing a vulnerability affecting new addresses created Nov 14-23,22 using the Browser Extension.— Trust Wallet (@TrustWallet) April 22, 2023
The issue is fixed. Most at-risk funds are secured. Affected users should take actions outlined:
The second incident came to light on February 8, 2023, when Trust Wallet officially announced an attack that occurred on one of their users during the preceding week, leading to an estimated loss of $4 million.
1/ This week, an organised crime unit from Rome stole $4M from one of our users.— Trust Wallet (@TrustWallet) February 8, 2023
It was stated, the thief ‘took a picture’ of the user’s Wallet balance to steal the funds.
We’ve done investigating into the events and believe this is how it happened…🧵👇
Let’s see how these events happened in order to understand if it’s a Trust Wallet problem or if they are simply unfortunate events not due to the wallet vendor.
How Did It Happen
Trust Wallet Security Incident from November 2022
In November 2022, Trust Wallet encountered a security vulnerability that led to losses of nearly $170,000 for some users.
This vulnerability was not discovered at the time, but only a few months later, in April 2023, Trust Wallet announced this event.
The issue was discovered through their bug bounty program when a security researcher reported a vulnerability in the open-source library Wallet Core related explicitly to WebAssembly.
The vulnerability affected new wallet addresses generated by the Trust Wallet Browser Extension between November 14 and 23, 2022. Wallet addresses created before and after those dates were confirmed to be safe.
This breach resulted in two exploits, causing a total loss of approximately $170,000. Although the issue has been patched, around 500 vulnerable addresses with an $88,000 balance remain.
Trust Wallet urged its affected users to create new wallets and transfer their funds to safeguard.
Consequently, the Trust Wallet team established a reimbursement process to compensate users impacted by the vulnerability. Moreover, the company extended its support to affected users by reimbursing approximately $7,700 in gas fees for those transferring their funds to secure, uncompromised wallets.
So, in this case, it is pretty clear that Trust Wallet was hacked regarding the November 2022 incident, with Trust Wallet starting in April (when they discovered the event) to take action.
February 2023 Accusations: Trust Wallet User Hacked, Estimated Damage of $4 Million
In February 2023, Trust Wallet also faced allegations that a wallet user lost $4 million to a criminal organization operating in Rome, Italy. That wallet belonged to Web 3 startup Webaverse.
a crypto scam stole 4m by just taking a photo of a trust wallet screen, with no seed phrases or any private info on sight pic.twitter.com/yOQGbReF1I— 0xngmi (@0xngmi) February 6, 2023
After this story broke in the media, Trust Wallet also started investigating the event to make sure this scam was not done because of their product.
Thus, after investigating, the following was discovered:
The Trust Wallet team’s investigation revealed that the incident resulted from a social engineering scam from an organized crime unit based in Rome, Italy, that unfolded over a series of events leading up to the theft. The criminals deliberately insisted on meeting the victim in person, demanding to see the proof of funds stored in a hot wallet during the face-to-face meeting.
The user’s funds were initially held in a multi-sig wallet in the case under scrutiny. However, the criminals persuaded the user to transfer the funds to a new, single Trust Wallet a few weeks before their meeting.
Before the theft, the thief shared a PDF file labeled as an NDA (Non-Disclosure Agreement) and fake KYC (Know Your Customer) information with the victim in preparation for their proposed business interaction. The criminals then met the victim for dinner before the proof of funds was to be presented.
Shortly after the proof of funds was shown during the meeting, the newly set up Trust Wallets were swiftly drained of their contents. The criminal had taken a photograph of the proof of funds, which aligned with the initial theory of stealing the funds through a picture.
Thus, the charges against Trust Wallet were related to the fact that someone managed to access another person’s wallet through a simple picture they took in the victim’s app without the criminals knowing the key phrase or other authentication data.
However, analyzing the situation, we can deduce the following aspects that exonerate Trust Wallet in this case, even though many users condemned the wallet:
- It shows how the criminal organization targeted the victim (the criminal organization playing the role of potential investors).
- If the problem was on the Trust Wallet side, probably many more users would have been harmed by this hack.
- It is recognized that there was prior communication by email, and files sent from the criminals (NDA and KYC) were accessed, which may justify how the criminals obtained the access data to the victim’s Trust Wallet account – with malware.
Has Trust Wallet Been Hacked Before?
Apart from the events mentioned earlier, Trust Wallet has a clean record with no major hacking incidents. The occurrences, as mentioned earlier, highlight the current novelty surrounding Trust Wallet, as it has demonstrated resilience against hackers, code exploits, and other potential threats up until this point.
Trust Wallet Hacked: How to Determine If You’ve Been Affected?
If you’re concerned about the potential impact of the Trust Wallet browser extension incident on your security, take a moment to verify the status.
To check if your wallet addresses are at risk, simply inspect the TW Browser Extension for any displayed notification. If no warning is visible, rest assured that your wallet addresses are secure and the vulnerability does not pertain to you.
However, if you have received a push notification in either your Trust Wallet App or Browser Extension, it means that your private key has been affected by a prior exploit and is no longer safe for use.
In such a case, we strongly advise you to transfer your funds to a newly created Trust Wallet wallet to mitigate potential fund loss risk.
Moreover, if you noticed unusual fund movements during late December 2022 or late March 2023, you might be among the unfortunate few who were impacted by the two exploits. We kindly urge you to thoroughly review the Trust Wallet’s reimbursement process to familiarize yourself with the subsequent steps.
Steps to Take If Your Trust Wallet Gets Hacked
If you notice anything uncommon on Trust Wallet in any other context than the one mentioned above (like due to disclosing your recovery phrase or encountering malware on your device), there are several steps you can take that we recommend, and it’s crucial to act swiftly to safeguard any remaining funds in your wallet.
Remember, cryptocurrency transactions are irreversible, so if your coins or tokens have already been transferred to an external wallet address, recovering them becomes extremely challenging.
Here are some steps you can take if you suspect your Trust Wallet has been hacked:
Create a New Wallet and Transfer Your Funds
The first thing you need to know, if it’s not too late, is to create a new wallet and transfer your funds quickly.
We recommend creating the new wallet on another device you believe has not been compromised, even if you suspect a hacker involved or a person you told your recovery phrase to.
You can move on to the next step once you’ve ensured your assets are safe.
Check for Malware on Your Device
Once you’ve made sure your assets are safe and if you can exclude someone who has access to your recovery phrase from the equation, it’s possible that your wallet was compromised due to malware.
Though mobile operating systems like Android and iOS are less prone to malware than desktop systems like Windows, it’s still essential to consider the possibility of malware infecting your device.
If you suspect that your device might be infected with malware targeting crypto wallets, we recommend the following steps:
- Create a new wallet on another device, such as your PC or another smartphone, and transfer all your crypto assets there if the hacker hasn’t already moved them.
- Download a reputable mobile anti-virus and scan your device to check for any detected malware on your phone.
- If the anti-virus doesn’t find any malware, you can attempt a factory reset of your phone to eliminate any potential malicious apps or scripts. Before resetting, back up all your important files and data.
- After the reset, reinstall Trust Wallet and create a new wallet. Transfer your funds to this new wallet to resume using Trust Wallet. You can also import the new wallet you created using the recovery phrase provided by the wallet.
Track Criminals’ Transaction Through a Blockchain Explorer
If the hacker already moved your funds to an external wallet, there are limited options for recovery, but you can try the following:
- Use a Blockchain Explorer – Trace the transactions made by the hacker using a blockchain explorer specific to the cryptocurrency involved (e.g., Blockchain.com for Bitcoin, Etherscan.io for Ethereum, BscScan.com for Binance Smart Chain tokens).
- Identify the Destination Wallet – Find the wallet address where the hacker transferred your crypto.
- Contact Centralized Exchanges – Contact their customer support if the funds were sent to a wallet on a centralized exchange like Binance. They might be able to help if you can provide information about the incident.
- Non-Custodial Wallets – It becomes extremely difficult to recover if the funds are transferred to a non-custodial wallet. Non-custodial wallets don’t require user information, making tracing or retrieving the funds hard.
While there’s no guarantee of success, exploring these recommendations may offer some chances of recovering your assets or taking appropriate action.
Report the Incident to the Law Enforcement
If you’ve exhausted all other options and still need help, it’s time to involve law enforcement in your country. Reporting the incident to the police or relevant authorities should be your final resort, especially if you have suffered significant losses.
Reach out to the appropriate law enforcement that handles cybercrimes.
While it’s important to be aware that the chances of recovering stolen crypto assets through law enforcement are generally low, reporting the case is still essential. Even though they might have a large number of reports to handle, there’s still a possibility they could take action or assist in some way.
Steps to Safeguard Your Wallet and Minimize Hacking Risks
Trust Wallet is highly secure, but you must also take measures to protect it from potential hacks by malicious parties. Here’s what you can do:
- Never Share Your Recovery Phrase – Never share your secret recovery phrase with anyone, no matter who they claim to be. Legitimate Trust Wallet support will never ask for your recovery phrase.
- Backup Your Recovery Phrase Securely – Safely back up your 12-word recovery phrase, preferably offline, where it’s inaccessible to others.
- Be Cautious with Shady Websites – Avoid approving connections to shady websites or DApps on your wallet. Hackers may create malicious DApps to access your funds once you connect your wallet.
- Download Trust Wallet from Official App Stores.
- Consider Cold Wallets for Large Amounts: Consider using a cold wallet for significant cryptocurrency investments.
Can a Trust Wallet Get Hacked?
Yes, Trust Wallet (like any other crypto wallet) can be susceptible to hacking attempts, but there’s little chance for hacking attempts to have results. While it follows security standards, hacking is always risky due to user error, malware on devices, or connecting to suspicious third-party apps. Never share your recovery phrase to minimize the risk, download Trust Wallet from trusted sources, verify DApps before connecting, enable security features, and consider using cold wallets for significant holdings.
How Did Trust Wallet Get Hacked?
In November 2022, Trust Wallet experienced a security vulnerability that resulted in losses of nearly $170,000 for some users. The vulnerability was discovered in April 2023 through their bug bounty program when a security researcher reported a flaw in the open-source library Wallet Core related to WebAssembly. This vulnerability affected new wallet addresses created by the Trust Wallet Browser Extension between November 14 and 23, 2022. Trust Wallet promptly patched the issue and initiated a reimbursement process for affected users.
How to Know If You’ve Been Hacked?
To determine if you’ve been hacked on Trust Wallet, carefully inspect the Trust Wallet Browser Extension for any displayed notifications. If you encounter a push notification in either the Trust Wallet App or Browser Extension, it indicates that your private key has been compromised due to a prior exploit, making it unsafe to use. In such a scenario, transferring your funds to a newly created wallet is essential to mitigate the risk of potential fund loss.
So, the discussions surrounding “Trust Wallet has been hacked” hold various insights. While it’s true that Trust Wallet faced a significant security issue in the last 12 months, the problems were promptly addressed. Also, the affected users underwent a reimbursement process.
Although there’s always room for more security measures, it’s essential to note that the wallet’s security should not be wholly discredited. In some cases, fund losses can occur due to scammers’ actions rather than inherent flaws in the wallet itself.
Should you encounter such a situation, follow the recommended steps to safeguard your assets.
However, it’s crucial to remain proactive in protecting your funds so you don’t find yourself facing such risks in the first place.
Stay vigilant and adhere to the safeguards to ensure your Trust Wallet experience remains secure.