← Trust Wallet3 decisions on this page

Audit log

Every state-changing event for Trust Wallet: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

#1publishby system:backfill
2026-05-19 02:32:55Z
Score: ? → ? (no score change)
anchoranchored
chain
●mainnet-betaslot 420,680,175
sig
4X1ojXxqDtQA…7RtEMHm7explorer ↗
hash
91Y1D8dvMX6W…K9c5tJWcsha256 → base58
verifying row…full verify ↗
canonical bytes (4950 B) ▸
{"actor":"system:backfill","investigation_id":"4ba72731-5f73-484b-b3c5-af8a83bd4f3e","kind":"publish","page_slug":"trust-wallet","published_at":"2026-05-19T02:32:55.249Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Trust Wallet","sections":[{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]}],"sources_used":[],"summary":"Trust Wallet is a widely-used non-custodial mobile and browser cryptocurrency wallet, originally acquired by Binance in 2018 and later divested as an independent entity. It has been the subject of multiple documented security incidents spanning 2022–2025, including a critical WebAssembly entropy vulnerability (CVE-2024-23660), a supply-chain compromise of its Chrome extension in December 2025 that resulted in approximately $8.5 million in user losses, and a historical low-entropy key generation flaw exploited in 2023. Blockchain investigator ZachXBT flagged the December 2025 browser extension incident and documented hundreds of victims.","timeline":[{"date":"2018-02-01","event":"Trust Wallet iOS app introduces low-entropy key generation flaw using trezor-crypto-ios v0.0.4, seeding PRNG with Unix timestamp only","source":"","source_url":"https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/"},{"date":"2018-07-01","event":"Binance acquires Trust Wallet","source":"","source_url":"https://en.wikipedia.org/wiki/Trust_Wallet"},{"date":"2018-07-16","event":"Low-entropy flaw patched in trezor-crypto-ios v0.0.7, but wallets created during the vulnerable window remain exposed","source":"","source_url":"https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/"},{"date":"2022-11-14","event":"Trust Wallet browser extension begins generating wallets using weak Mersenne Twister PRNG; vulnerability window opens","source":"","source_url":"https://www.theblock.co/post/227730/trust-wallet-vulnerability-fix"},{"date":"2022-11-23","event":"Browser extension WebAssembly vulnerability window closes; researcher later discloses flaw via bug bounty","source":"","source_url":"https://www.ledger.com/blog/funds-of-every-wallet-created-with-the-trust-wallet-browser-extension-could-have-been-stolen"},{"date":"2023-04-22","event":"Trust Wallet publicly discloses WebAssembly PRNG vulnerability, confirms $170,000 in user losses, announces reimbursement","source":"","source_url":"https://beincrypto.com/trust-wallet-170000-loss/"},{"date":"2023-07-12","event":"Attackers exploit 2018-era low-entropy iOS flaw against 2,100+ Ethereum addresses; over 1,360 ETH stolen across multiple chains","source":"","source_url":"https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/"},{"date":"2024-02-01","event":"NIST formally adds Trust Wallet iOS vulnerability to National Vulnerability Database as CVE-2024-23660 (CVSS 7.5 High)","source":"","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-23660"},{"date":"2025-01-01","event":"TrustWalletPanel phishing operation (tttadmin.com) begins 14-month campaign targeting Trust Wallet users; at least $239,000 stolen","source":"","source_url":"https://phishdestroy.io/trustwallet-panel-exposed"},{"date":"2025-11-01","event":"Sha1-Hulud supply chain attack exposes Trust Wallet GitHub secrets, including Chrome Web Store API credentials","source":"","source_url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"date":"2025-12-08","event":"Attacker registers exfiltration domain in preparation for Chrome extension compromise","source":"","source_url":"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.html"},{"date":"2025-12-21","event":"First exfiltration requests from compromised infrastructure begin","source":"","source_url":"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.html"},{"date":"2025-12-24","event":"Malicious Trust Wallet browser extension v2.68 published to Chrome Web Store via leaked API key; mnemonic exfiltration begins","source":"","source_url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"date":"2025-12-25","event":"ZachXBT flags suspected Trust Wallet extension issue as users report drained funds; requests affected addresses from victims","source":"","source_url":"https://beincrypto.com/zachxbt-trust-wallet-security-warning-user-funds-drained/"},{"date":"2025-12-26","event":"Trust Wallet confirms v2.68 incident, rolls back to v2.67 as v2.69, revokes API credentials, announces $8.5M impact across 2,520 addresses","source":"","source_url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"}]},"v":1}
Verify offline (run on your own machine)
python -m src.verify_decision 745efd9b-0b8e-40c6-adba-cd9c50743829
#2reviewby reviewerreviewer
2026-06-14 23:15:56Z
Score: 32 → 32 (no score change)
Blue-chip calibration review (Prompt A). Verdict: over-penalized. Page content is treated as accurate; the trust_score band is miscalibrated. Trust Wallet is a legitimate, large-scale non-custodial cryptocurrency wallet (220M+ users) that has suffered multiple distinct security incidents between 2022 and 2025 — none of which constitute fraud, a Ponzi scheme, or intentional misappropriation of user funds. The incidents are: (1) a Mersenne Twister PRNG flaw in the browser extension WASM component (CVE-2023-31290, November 2022, ~$170K losses, patched within days, reimbursements committed); (2) a low-entropy iOS key-generation flaw from 2018 using unsafe trezor-crypto functions (CVE-2024-23660, CVSS 7.5 HIGH, exploited July 2023, >1,360 ETH stolen from 2,100+ victims); and (3) a December 2025 supply chain attack in which a malicious extension v2.68 was published via a stolen Chrome Web Store API key (Shai-Hulud campaign), draining ~$7M–$8.5M from 2,520 wallets, with Trust Wallet committing to full voluntary reimbursement. Under AVOID.NET's post-policy band semantics, a score of 32 (WARNING) is reserved for entities with elevated fraud/loss risk or unresolved severe incidents. Trust Wallet's incidents are resolved or actively remediated security vulnerabilities suffered by the entity, placing it firmly in the CAUTIONARY band (50–69). A score of 55 reflects the genuine severity and multiplicity of the security record while recognising that Trust Wallet is a legitimate operator that has not defrauded users and has committed to reimbursements. An outside skeptic can verify: NVD entries for CVE-2023-31290 and CVE-2024-23660, the SECBIT research blog post (Jan 2024), the Ledger Donjon disclosure, Trust Wallet's official v2.68 incident post, and Trust Wallet's X reimbursement commitment.
anchoranchored
chain
●mainnet-betaslot 426,514,436
sig
5JV1HL7cB5Ne…StPhizEgexplorer ↗
hash
2eK2drxTgarT…BGrXuanusha256 → base58
verifying row…full verify ↗
canonical bytes (2156 B) ▸
{"actor":"reviewer","decided_at":"2026-06-14T23:15:56.444Z","decision":"review","investigation_id":"4ba72731-5f73-484b-b3c5-af8a83bd4f3e","new_score":32,"page_slug":"trust-wallet","prev_score":32,"reason":"Blue-chip calibration review (Prompt A). Verdict: over-penalized. Page content is treated as accurate; the trust_score band is miscalibrated. Trust Wallet is a legitimate, large-scale non-custodial cryptocurrency wallet (220M+ users) that has suffered multiple distinct security incidents between 2022 and 2025 — none of which constitute fraud, a Ponzi scheme, or intentional misappropriation of user funds. The incidents are: (1) a Mersenne Twister PRNG flaw in the browser extension WASM component (CVE-2023-31290, November 2022, ~$170K losses, patched within days, reimbursements committed); (2) a low-entropy iOS key-generation flaw from 2018 using unsafe trezor-crypto functions (CVE-2024-23660, CVSS 7.5 HIGH, exploited July 2023, >1,360 ETH stolen from 2,100+ victims); and (3) a December 2025 supply chain attack in which a malicious extension v2.68 was published via a stolen Chrome Web Store API key (Shai-Hulud campaign), draining ~$7M–$8.5M from 2,520 wallets, with Trust Wallet committing to full voluntary reimbursement. Under AVOID.NET's post-policy band semantics, a score of 32 (WARNING) is reserved for entities with elevated fraud/loss risk or unresolved severe incidents. Trust Wallet's incidents are resolved or actively remediated security vulnerabilities suffered by the entity, placing it firmly in the CAUTIONARY band (50–69). A score of 55 reflects the genuine severity and multiplicity of the security record while recognising that Trust Wallet is a legitimate operator that has not defrauded users and has committed to reimbursements. An outside skeptic can verify: NVD entries for CVE-2023-31290 and CVE-2024-23660, the SECBIT research blog post (Jan 2024), the Ledger Donjon disclosure, Trust Wallet's official v2.68 incident post, and Trust Wallet's X reimbursement commitment.","score_delta":0,"sequence_num":2,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
Verify offline (run on your own machine)
python -m src.verify_decision d1f64f0d-79d0-4fc2-8e85-aec46698d013
#3review approveby judgejudge
2026-06-14 23:15:56Z
Score: 32 → 55 (+23)
The reviewer found 0% disputed claims across all six claim_findings — every material assertion about Trust Wallet's identity, incident history, and remediation behavior is supported by external sources (NVD, SECBIT, Trust Wallet blog, The Block). All three scored incidents (claim_findings[1]) are confirmed attack-victim events: the 2022 WASM PRNG flaw, the 2023 iOS entropy exploitation, and the December 2025 supply-chain compromise. Trust Wallet voluntarily committed to reimbursement in each case (claim_findings[4]), and no regulatory enforcement or fraud designation was found (claim_findings[5]). A current score of 32 (WARNING) is reserved for entities with elevated fraud risk or unresolved severe incidents; neither condition applies here. The reviewer's recommended score of 55 (CAUTIONARY) accurately reflects the genuine multiplicity and scale of the security record while recognising that Trust Wallet has not defrauded users. A +23 delta moves the score from 32 to 55, correcting the band from WARNING to CAUTIONARY. The minor CVE label misattribution noted in claim_findings[2] and the $7M vs $8.5M figure discrepancy in claim_findings[3] are editorial refinements that do not affect the band decision.
anchoranchored
chain
●mainnet-betaslot 426,514,439
sig
cXMGjNUeTnR5…6xqbd11Eexplorer ↗
hash
2MsWpDZZNjK6…vrBpvowmsha256 → base58
verifying row…full verify ↗
canonical bytes (1573 B) ▸
{"actor":"judge","decided_at":"2026-06-14T23:15:56.444Z","decision":"review_approve","investigation_id":"4ba72731-5f73-484b-b3c5-af8a83bd4f3e","new_score":55,"page_slug":"trust-wallet","prev_score":32,"reason":"The reviewer found 0% disputed claims across all six claim_findings — every material assertion about Trust Wallet's identity, incident history, and remediation behavior is supported by external sources (NVD, SECBIT, Trust Wallet blog, The Block). All three scored incidents (claim_findings[1]) are confirmed attack-victim events: the 2022 WASM PRNG flaw, the 2023 iOS entropy exploitation, and the December 2025 supply-chain compromise. Trust Wallet voluntarily committed to reimbursement in each case (claim_findings[4]), and no regulatory enforcement or fraud designation was found (claim_findings[5]). A current score of 32 (WARNING) is reserved for entities with elevated fraud risk or unresolved severe incidents; neither condition applies here. The reviewer's recommended score of 55 (CAUTIONARY) accurately reflects the genuine multiplicity and scale of the security record while recognising that Trust Wallet has not defrauded users. A +23 delta moves the score from 32 to 55, correcting the band from WARNING to CAUTIONARY. The minor CVE label misattribution noted in claim_findings[2] and the $7M vs $8.5M figure discrepancy in claim_findings[3] are editorial refinements that do not affect the band decision.","score_delta":23,"sequence_num":3,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
Verify offline (run on your own machine)
python -m src.verify_decision 621f01f1-fd99-44e4-bbef-381f52549126

How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.