Verify a decision

{"actor":"system:backfill","investigation_id":"b8da4d53-1b89-47b5-a180-0d4dcea34c10","kind":"publish","page_slug":"trinity-wallet","published_at":"2026-05-28T18:46:24.085Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Trinity Wallet","sections":[{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://blog.iota.org/trinity-attack-incident-part-1-summary-and-next-steps-8c7ccc4d81e8/","type":"other","url":""},{"credibility":3,"name":"https://cryptopotato.com/iotas-recent-2-million-attack-leaves-open-questions-to-the-projects-payment-processor-moonpay/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://blog.iota.org/trinity-attack-incident-part-1-summary-and-next-steps-8c7ccc4d81e8/","type":"other","url":""},{"credibility":3,"name":"https://news.sophos.com/en-us/2020/02/18/iota-shuts-down-network-temporarily-to-fight-wallet-hacker/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://blog.iota.org/trinity-attack-incident-part-1-summary-and-next-steps-8c7ccc4d81e8/","type":"other","url":""},{"credibility":3,"name":"https://www.coindesk.com/business/2020/03/12/iota-founder-personally-refunding-hack-losses-to-safeguard-projects-remaining-reserves","type":"other","url":""},{"credibility":3,"name":"https://decrypt.co/21683/iota-hack-compensation-founder-david-sonstebo-discord","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://coinfomania.com/iota-foundation-restarts-the-coordinator/","type":"other","url":""},{"credibility":3,"name":"https://cointelegraph.com/news/iota-network-relaunched-following-trinity-wallet-theft","type":"other","url":""},{"credibility":3,"name":"https://www.theblock.co/post/56637/iota-foundation-expects-to-reactivate-network-by-march-2-following-2m-user-wallet-attack","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://blog.iota.org/trinity-attack-incident-part-3-key-learnings-takeaways-c933de22fd0a/","type":"other","url":""},{"credibility":3,"name":"https://slowmist.medium.com/slowmist-iota-analysis-4acfb477a093","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://github.com/iotaledger/trinity-wallet/","type":"other","url":""},{"credibility":3,"name":"https://blog.iota.org/the-next-steps-for-trinity-f9af3fc64736/","type":"other","url":""}]},{"content":"","heading":"","severity":"medium","sources":[{"credibility":3,"name":"https://medium.com/cryptronics/what-recent-supply-chain-attacks-on-iota-and-monero-can-teach-us-about-blockchain-security-36f63876b539","type":"other","url":""}]}],"sources_used":[{"credibility":1,"name":"Trinity Attack Incident Part 1: Summary and next steps — IOTA Foundation","type":"official","url":"https://blog.iota.org/trinity-attack-incident-part-1-summary-and-next-steps-8c7ccc4d81e8/"},{"credibility":1,"name":"Trinity Attack Incident Part 2: Trinity Seed Migration Plan — IOTA Foundation","type":"official","url":"https://blog.iota.org/trinity-attack-incident-part-2-trinity-seed-migration-plan-4c52086699b6/"},{"credibility":1,"name":"Trinity Attack Incident Part 3: Key Learnings and Takeaways — IOTA Foundation","type":"official","url":"https://blog.iota.org/trinity-attack-incident-part-3-key-learnings-takeaways-c933de22fd0a/"},{"credibility":1,"name":"IOTA Founder Personally Refunding Hack Losses — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2020/03/12/iota-founder-personally-refunding-hack-losses-to-safeguard-projects-remaining-reserves"},{"credibility":1,"name":"IOTA Foundation Suspends Network, Probes Fund Theft in Trinity Wallet — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2020/02/13/iota-foundation-suspends-network-probes-fund-theft-in-trinity-wallet"},{"credibility":1,"name":"IOTA Network Relaunched Following Trinity Wallet Theft — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/iota-network-relaunched-following-trinity-wallet-theft"},{"credibility":1,"name":"IOTA Foundation Expects to Reactivate Network by March 2 — The Block","type":"news_article","url":"https://www.theblock.co/post/56637/iota-foundation-expects-to-reactivate-network-by-march-2-following-2m-user-wallet-attack"},{"credibility":1,"name":"IOTA is Back Online Nearly a Month After $2 Million Attack — The Block","type":"news_article","url":"https://www.theblock.co/linked/58337/iota-is-back-online-nearly-a-month-after-2-million-attack-on-wallet-software-users"},{"credibility":2,"name":"IOTA Hack Compensation — Founder David Sonstebo Discord Announcement — Decrypt","type":"news_article","url":"https://decrypt.co/21683/iota-hack-compensation-founder-david-sonstebo-discord"},{"credibility":2,"name":"IOTA's Recent $2 Million Attack Leaves Open Questions To MoonPay — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/iotas-recent-2-million-attack-leaves-open-questions-to-the-projects-payment-processor-moonpay/"},{"credibility":2,"name":"IOTA Shuts Down Network Temporarily to Fight Wallet Hacker — Sophos News","type":"news_article","url":"https://news.sophos.com/en-us/2020/02/18/iota-shuts-down-network-temporarily-to-fight-wallet-hacker/"},{"credibility":2,"name":"SlowMist: Analysis and Security Suggestions for the IOTA Major Coin Stolen Incident","type":"research","url":"https://slowmist.medium.com/slowmist-iota-analysis-4acfb477a093"},{"credibility":2,"name":"What Recent Supply Chain Attacks on IOTA and Monero Can Teach Us — Cryptonics/Medium","type":"research","url":"https://medium.com/cryptronics/what-recent-supply-chain-attacks-on-iota-and-monero-can-teach-us-about-blockchain-security-36f63876b539"},{"credibility":2,"name":"27 Days Later: IOTA Foundation Finally Restarts The Coordinator — CoinFomania","type":"news_article","url":"https://coinfomania.com/iota-foundation-restarts-the-coordinator/"},{"credibility":1,"name":"GitHub — iotaledger/trinity-wallet (archived repository)","type":"official","url":"https://github.com/iotaledger/trinity-wallet/"}],"summary":"Trinity Wallet was the official desktop and mobile software wallet for the IOTA cryptocurrency, developed and maintained by the IOTA Foundation. In February 2020, a supply chain attack exploiting a compromised MoonPay SDK delivered via CDN resulted in the theft of approximately 8.55 Ti (teraIOTA) worth roughly $2 million from 50 user seeds, forcing the IOTA Foundation to shut down the entire IOTA network for 27 days. Trinity was subsequently deprecated in April 2021 following the Chrysalis protocol upgrade, with the Firefly wallet introduced as its replacement.","timeline":[{"date":"2019-07-01","event":"Trinity Wallet officially released by the IOTA Foundation as the project's primary desktop and mobile wallet.","source":"IOTA Foundation Blog","source_url":"https://blog.iota.org/iota-foundation-releases-the-trinity-wallet-5e3db189fbb5/"},{"date":"2019-11-27","event":"Attacker executes DNS-interception proof of concept by leveraging a Cloudflare API key linked to MoonPay's infrastructure, beginning reconnaissance against MoonPay's CDN endpoints.","source":"IOTA Foundation — Trinity Attack Incident Part 1","source_url":"https://blog.iota.org/trinity-attack-incident-part-1-summary-and-next-steps-8c7ccc4d81e8/"},{"date":"2019-12-17","event":"IOTA Foundation later determines this date as the start of the window during which Trinity users were at risk of seed theft.","source":"IOTA Foundation — Trinity Attack Incident Part 1","source_url":"https://blog.iota.org/trinity-attack-incident-part-1-summary-and-next-steps-8c7ccc4d81e8/"},{"date":"2019-12-22","event":"Attacker evaluates a longer-running proof of concept refining malicious code and exfiltration techniques via MoonPay CDN.","source":"IOTA Foundation — Trinity Attack Incident Part 1","source_url":"https://blog.iota.org/trinity-attack-incident-part-1-summary-and-next-steps-8c7ccc4d81e8/"},{"date":"2020-01-25","event":"Active attack on Trinity users commences; malicious MoonPay SDK begins being served to Trinity Wallet instances via CDN, capturing user seeds and passwords.","source":"IOTA Foundation — Trinity Attack Incident Part 1","source_url":"https://blog.iota.org/trinity-attack-incident-part-1-summary-and-next-steps-8c7ccc4d81e8/"},{"date":"2020-02-11","event":"Attacker executes transactions using hijacked seeds, draining approximately 8.55 Ti (roughly $2 million) from 50 user accounts.","source":"IOTA Foundation — Trinity Attack Incident Part 1","source_url":"https://blog.iota.org/trinity-attack-incident-part-1-summary-and-next-steps-8c7ccc4d81e8/"},{"date":"2020-02-12","event":"IOTA Foundation halts the Coordinator, suspending the entire IOTA network to stop further theft. All transaction confirmations cease.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2020/02/13/iota-foundation-suspends-network-probes-fund-theft-in-trinity-wallet"},{"date":"2020-02-15","event":"IOTA Foundation receives Cloudflare logs from MoonPay confirming unsanctioned API access dating to November 2019.","source":"IOTA Foundation — Trinity Attack Incident Part 1","source_url":"https://blog.iota.org/trinity-attack-incident-part-1-summary-and-next-steps-8c7ccc4d81e8/"},{"date":"2020-02-17","event":"IOTA Foundation establishes end of the at-risk window for Trinity users.","source":"IOTA Foundation — Trinity Attack Incident Part 1","source_url":"https://blog.iota.org/trinity-attack-incident-part-1-summary-and-next-steps-8c7ccc4d81e8/"},{"date":"2020-02-29","event":"Seed migration period opens; IOTA Foundation releases dedicated migration tool for Trinity users to transfer funds to new seeds.","source":"IOTA Foundation — Trinity Attack Incident Part 2","source_url":"https://blog.iota.org/trinity-attack-incident-part-2-trinity-seed-migration-plan-4c52086699b6/"},{"date":"2020-03-06","event":"IOTA co-founder David Sonstebo announces via Discord he will personally reimburse all theft victims from his own IOTA holdings to protect Foundation reserves.","source":"Decrypt","source_url":"https://decrypt.co/21683/iota-hack-compensation-founder-david-sonstebo-discord"},{"date":"2020-03-07","event":"Seed migration period closes.","source":"IOTA Foundation — Trinity Attack Incident Part 2","source_url":"https://blog.iota.org/trinity-attack-incident-part-2-trinity-seed-migration-plan-4c52086699b6/"},{"date":"2020-03-10","event":"IOTA Foundation restarts the Coordinator after 27 days of network suspension; IOTA network returns to normal operation.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/iota-network-relaunched-following-trinity-wallet-theft"},{"date":"2021-04-28","event":"Trinity Wallet officially deprecated with the Chrysalis protocol upgrade. Firefly wallet released as the replacement; users directed to migrate.","source":"GitHub — iotaledger/trinity-wallet","source_url":"https://github.com/iotaledger/trinity-wallet/"}]},"v":1}