A malicious security breach struck Binance-owned Trust Wallet on Thursday, leading to losses of more than $7 million as funds were drained from affected user wallets on the platform.
Just two days later, on Saturday, Trust Wallet CEO Eowyn Chen issued a detailed post on social media platform (formerly Twitter), outlining the impact of the incident, the measures being taken to contain the hack, and what the company has established so far about the attack.
“This is an ongoing investigation, so I’ll focus on confirmed facts and updates, highly likely hypothesis, and what we’re doing to stop loss for users,” she noted in the X post.
Who does it affect and who needs not to worry?
According to Chen, the investigation so far has confirmed that this security incident only impacts users who opened and logged into Trust Wallet’s Browser Extension version 2.68. She also noted that the breach does not affect any mobile app users, any other versions of browser extension users, as well as extension v2.68 users who opened and logged in after 26 December, 11:00 UTC.
Hence, all these users remain unaffected by the incident and their accounts, data, and assets are considered secure.
What the company knows about the attack?
The investigation also suggests that the malicious extension was not released through the platform’s internal manual process, and that it was most likely published externally through Chrome Web Store API key, bypassing the standard release checks, Chen clarified.
Another working hypothesis, which is still under investigation, suggests that the hacker used a leaked Chrome Web Store API key to submit the malicious extension version, which succeeded in passing Chrome Web Store’s review, she added.
