Verify a decision

{"actor":"system:backfill","investigation_id":"4ba72731-5f73-484b-b3c5-af8a83bd4f3e","kind":"publish","page_slug":"trust-wallet","published_at":"2026-05-19T02:32:55.249Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Trust Wallet","sections":[{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]}],"sources_used":[],"summary":"Trust Wallet is a widely-used non-custodial mobile and browser cryptocurrency wallet, originally acquired by Binance in 2018 and later divested as an independent entity. It has been the subject of multiple documented security incidents spanning 2022–2025, including a critical WebAssembly entropy vulnerability (CVE-2024-23660), a supply-chain compromise of its Chrome extension in December 2025 that resulted in approximately $8.5 million in user losses, and a historical low-entropy key generation flaw exploited in 2023. Blockchain investigator ZachXBT flagged the December 2025 browser extension incident and documented hundreds of victims.","timeline":[{"date":"2018-02-01","event":"Trust Wallet iOS app introduces low-entropy key generation flaw using trezor-crypto-ios v0.0.4, seeding PRNG with Unix timestamp only","source":"","source_url":"https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/"},{"date":"2018-07-01","event":"Binance acquires Trust Wallet","source":"","source_url":"https://en.wikipedia.org/wiki/Trust_Wallet"},{"date":"2018-07-16","event":"Low-entropy flaw patched in trezor-crypto-ios v0.0.7, but wallets created during the vulnerable window remain exposed","source":"","source_url":"https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/"},{"date":"2022-11-14","event":"Trust Wallet browser extension begins generating wallets using weak Mersenne Twister PRNG; vulnerability window opens","source":"","source_url":"https://www.theblock.co/post/227730/trust-wallet-vulnerability-fix"},{"date":"2022-11-23","event":"Browser extension WebAssembly vulnerability window closes; researcher later discloses flaw via bug bounty","source":"","source_url":"https://www.ledger.com/blog/funds-of-every-wallet-created-with-the-trust-wallet-browser-extension-could-have-been-stolen"},{"date":"2023-04-22","event":"Trust Wallet publicly discloses WebAssembly PRNG vulnerability, confirms $170,000 in user losses, announces reimbursement","source":"","source_url":"https://beincrypto.com/trust-wallet-170000-loss/"},{"date":"2023-07-12","event":"Attackers exploit 2018-era low-entropy iOS flaw against 2,100+ Ethereum addresses; over 1,360 ETH stolen across multiple chains","source":"","source_url":"https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/"},{"date":"2024-02-01","event":"NIST formally adds Trust Wallet iOS vulnerability to National Vulnerability Database as CVE-2024-23660 (CVSS 7.5 High)","source":"","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-23660"},{"date":"2025-01-01","event":"TrustWalletPanel phishing operation (tttadmin.com) begins 14-month campaign targeting Trust Wallet users; at least $239,000 stolen","source":"","source_url":"https://phishdestroy.io/trustwallet-panel-exposed"},{"date":"2025-11-01","event":"Sha1-Hulud supply chain attack exposes Trust Wallet GitHub secrets, including Chrome Web Store API credentials","source":"","source_url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"date":"2025-12-08","event":"Attacker registers exfiltration domain in preparation for Chrome extension compromise","source":"","source_url":"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.html"},{"date":"2025-12-21","event":"First exfiltration requests from compromised infrastructure begin","source":"","source_url":"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.html"},{"date":"2025-12-24","event":"Malicious Trust Wallet browser extension v2.68 published to Chrome Web Store via leaked API key; mnemonic exfiltration begins","source":"","source_url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"date":"2025-12-25","event":"ZachXBT flags suspected Trust Wallet extension issue as users report drained funds; requests affected addresses from victims","source":"","source_url":"https://beincrypto.com/zachxbt-trust-wallet-security-warning-user-funds-drained/"},{"date":"2025-12-26","event":"Trust Wallet confirms v2.68 incident, rolls back to v2.67 as v2.69, revokes API credentials, announces $8.5M impact across 2,520 addresses","source":"","source_url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"}]},"v":1}