Trust Wallet extension returns to Chrome after $8.5M exploit

Trust Wallet’s browser extension has returned to the Chrome Web Store following a temporary removal forced by a sophisticated hack that compromised roughly $8.5 million worth of digital assets in December.

The platform posted on X, stating, “Version 2.71.0 is now available & includes customer service verification code support to help with the claims process.”

Trust Wallet’s chief executive officer, Eowyn Chen, called for calm on December 31, posting on X, “Some may have noticed that the @trustwallet Browser Extension is temporarily unavailable on the Chrome Web Store. We hit a Chrome Web Store bug while releasing a new version that includes a feature to help reimbursement claimants submit verification codes from their extension — this helps us better verify wallet ownership for affected users, separate from the hacker/scammer.

Google has acknowledged the issue and is escalating it internally. We hope to have it resolved soon.”

Chen also warned users to remain vigilant for fake versions of the extension.

Holiday attack drains thousands of Trust Wallet users’ assets

In the hack that occurred in December, attackers released a malicious version 2.68 of Trust Wallet’s browser extension on Christmas Eve. Unsuspecting users were stunned when their funds got drained during a roughly two-day period between December 25 and 26.

According to Trust Wallet, 2,520 wallet addresses were affected across multiple blockchain networks.

The crypto wallet platform also added that they have a high confidence that the exploit is linked to the November Shai-Hulud supply chain attack, which targeted the npm software registry and affected thousands of repositories industry-wide.

Security researchers noted that the attackers demonstrated sophisticated planning, having staged their infrastructure by December 8, more than two weeks before deploying the compromised extension.

White-hat security researchers attempted to mitigate the damage by launching distributed denial-of-service attacks against the attackers’ infrastructure, helping to limit the number of additional victims after the breach was discovered.

Trust Wallet initially released a version 2.69 to replace the compromised version 2.68, urging users to download it; however, that new version hit a bug, as Chen pointed out.

Fraudulent claims complicate reimbursement plan

Trust Wallet, which is owned by Binance but operates as a separate entity, assured users that only the browser extension was affected. It insisted that the mobile app versions were not affected throughout the incident.

Binance founder Changpeng Zhao confirmed the company’s plan to fully reimburse all verified victims.

However, according to Chen, Trust Wallet had to revise its claims process to be more stringent after receiving over 5,000 claims despite identifying only 2,596 affected wallet addresses.

In an X post dated December 28, Chen acknowledged the irregular number of claim seekers, writing, “Our team is working diligently to verify claims; combining multiple data points to distinguish legitimate victims from malicious actors.”

Chen explained that the newly restored extension’s verification code feature will allow Trust Wallet to distinguish genuine claims from fraudulent or duplicate submissions.

Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.