TrustWallet Hack Explained: From Update to Wallet Drains worth $4M in $TWT, BTC, ETH

What Exactly Happened in the Trust Wallet Hack

Step 1: A New Browser Extension Update Was Released

A new update for the Trust Wallet browser extension was released on December 24.

• The update seemed routine.
• No major security warnings came with it.
• Users installed it through the usual update process.

At this point, nothing seemed suspicious.

Step 2: New Code Was Added to the Extension

After the update, researchers looking into the extension’s files noticed changes in a JavaScript file known as 4482.js.

Key observation:

• The new code was not in earlier versions.
• It introduced network requests linked to user actions.

This matters because browser wallets are very sensitive environments; any new outgoing logic poses a high risk.

Step 3: Code Masqueraded as “Analytics”

The added logic appeared as analytics or telemetry code.

Specifically:

• It looked like tracking logic used by common analytics SDKs.
• It did not trigger all the time.
• It activated only under certain conditions.

This design made it harder to detect during casual testing.

Step 4: Trigger Condition Importing a Seed Phrase

Community reverse-engineering suggests the logic was triggered when a user imported a seed phrase into the extension.

Why this is critical:

• Importing a seed phrase gives the wallet full control.
• This is a one-time, high-value moment.
• Any malicious code only needs to act once.

Users who only used existing wallets may not have triggered this path.

Step 5: Wallet Data Was Sent Externally

When the trigger condition occurred, the code allegedly sent data to an external endpoint:

metrics-trustwallet[.]com

What raised alarms:

• The domain looked a lot like a legitimate Trust Wallet subdomain.
• It was registered only days earlier.
• It was not publicly documented.
• It later went offline.

At least, this confirms unexpected outgoing communication from the wallet extension.

Step 6: Attackers Acted Immediately

Shortly after seed phrase imports, users reported:

• Wallets drained within minutes.
• Multiple assets moved quickly.
• No further user interaction was needed.

On-chain behavior showed:

• Automated transaction patterns.
• Multiple destination addresses.
• No obvious phishing approval flow.

This suggests attackers already had enough access to sign transactions.

Step 7: Funds Were Consolidated Across Addresses

Stolen assets were routed through several attacker-controlled wallets.

Why this matters:

• It suggests coordination or scripting.
• It reduces reliance on a single address.
• It matches behavior seen in organized exploits.

Estimates based on tracked addresses suggest millions of dollars moved, although totals vary.

Step 8: The Domain Went Dark

After attention increased:

• The suspicious domain stopped responding.
• No public explanation followed immediately.
• Screenshots and cached evidence became crucial.

This is consistent with attackers destroying infrastructure once exposed.

Step 9: Official Acknowledgment Came Later

Trust Wallet later confirmed:

• A security incident affected a specific version of the browser extension.
• Mobile users were not affected.
• Users should upgrade or disable the extension.

However, no full technical breakdown was given right away to explain:

• Why the domain existed.
• Whether seed phrases were exposed.
• Whether this was an internal, third-party, or external issue.

This gap fueled ongoing speculation.

What Is Confirmed

• A browser extension update introduced new outgoing behavior.
• Users lost funds shortly after importing seed phrases.
• The incident was limited to a specific version.
• Trust Wallet acknowledged a security issue.

What Is Strongly Suspected

• A supply-chain issue or malicious code injection.
• Seed phrases or signing ability being exposed.
• The analytics logic being misused or weaponized.

What Is Still Unknown

• Whether the code was intentionally malicious or compromised upstream.
• How many users were affected.
• Whether any other data was taken.
• Exact attribution of the attackers.

Why This Incident Matters

This was not typical phishing.

It highlights:

• The danger of browser extensions.
• The risk of blindly trusting updates.
• How analytics code can be misused.
• Why handling seed phrases is the most critical moment in wallet security.

Even a short-lived vulnerability can have serious consequences.

The post TrustWallet Hack Explained: From Update to Wallet Drains worth $4M in $TWT, BTC, ETH appeared first on Live Bitcoin News.