Trust Wallet says that the $8.5 million hack in late December that affected 2,520 crypto wallets is likely linked to the Sha1-Hulud incident, which exposed Developer GitHub secrets.
Binance-backed crypto wallet, Trust Wallet, suffered a massive attack on December 24th when a malicious version of the Trust Wallet Browser Extension was published to the Chrome Web Store, using a leaked API key. The malicious code within the extension allowed the attackers to steal sensitive wallet data and execute transactions without authorization.
The company says that the incident is likely linked to the industry-wide Sha1-Hulud incident in November. The Sha1-Hulud is a worm-like npm supply-chain malware campaign that spreads through trojanized npm packages and allows attackers to steal credentials and execute actions on affected machines. Sha1-Hulud is described as the evolved version of the earlier Shai-Hulud supply-chain abuse.
According to Trust Wallet, it allowed the attacker to access the browser extension source code and the Chrome Web Store API key via exposed Developer GitHub secrets.
The attackers then registered the domain metrics-trustwallet.com to host malicious code and automatically spread the version upon passing Chrome Web Store review approval.
The malicious version was active between December 24th and 26th – after the discovery, Trust Wallet rolled back to the verified clean version 2.67, released as 2.69, and provided security instructions. White-hat researchers initiated DDoS attacks to try and temporarily disable the attacker's malicious domain.
According to the company’s statement, the attack affected only Trust Wallet Browser Extension version 2.68 users who opened the extension and logged in during the affected period, with 2,520 identified wallet addresses.
Trust Wallet has announced it will “voluntarily reimburse the affected users”. According to reports, the company has already started accepting and reviewing reimbursement requests, however, the work to verify claims and ensure legitimacy is ongoing. For 2,520 wallets, the company has already received over 5,000 claims, meaning there is a high volume of fraudulent or duplicate submissions.
“Due to the complexity of verification and the need to protect against fraud, processing times vary with each case,” Trust Wallet says.
The company says it has implemented additional security controls around browser extension releases, release system and tool access, and monitoring to prevent similar incidents.
Your email address will not be published. Required fields are markedmarked