Detailed guide for those who lost assets in the Trust Wallet attack

Trust Wallet Chrome Plugin Attack - Important Details You Need to Know

Last week, over $7 million was lost due to a large-scale attack on the Trust Wallet extension on Google Chrome. The incident occurred from December 24 to 26, when hackers injected malicious JavaScript code into version 2.68 of the plugin. Anyone who logged into their wallet during this period was at risk of seed phrase leakage — the critical security string that helps recover your cryptocurrency wallet.

To understand better, what is a seed phrase? It is a randomly generated sequence of 12 or 24 words created when you set up your wallet, serving as the master key to access all assets in your wallet. Once the seed phrase is leaked, attackers can take control of your entire account without any confirmation.

Cause of the Incident - API Key Leak

Initial investigations indicate that the incident may have originated from a leaked API key used to manage the release process of updates on the Google Chrome Web Store. Hackers exploited this vulnerability to push a malicious version of the plugin, replacing the legitimate version used by millions of users.

It is noteworthy that this attack was not due to weak passwords or careless user behavior, but rather a serious systemic vulnerability in the infrastructure.

How to Request Compensation

Eowyn Chen, CEO of Trust Wallet, announced an official compensation program for all affected parties. Here are the steps you need to follow:

Information to prepare:

• Your email address
• The compromised wallet address (public address)
• The attacker’s wallet address (traceable from withdrawal transactions)
• Transaction hash of the stolen funds (transaction hash)
• The amount lost
• New wallet address to receive compensation

Registration process: Affected users only need to visit Trust Wallet’s official compensation registration page and fill out the request form. The company recommends creating a completely new wallet dedicated solely to this process to ensure maximum security.

To complete the process, you will need to provide your residence information for related criminal proceedings.

Warning About Fake Scams

The Trust Wallet team emphasizes an important warning: fake reimbursement programs may appear attempting to deceive users. Legitimate compensation programs will never ask for:

• Your password
• Your seed phrase
• Sensitive personal information such as credit card numbers

If you receive any messages, emails, or notifications requesting such information, it is definitely a scam. Report it immediately to the Trust Wallet team.

Lessons Learned from This Incident

This incident reminds the entire crypto community of the importance of infrastructure security. Even reputable platforms can face sophisticated attacks, especially when API keys managing software releases are leaked.

While the compensation program is being rolled out, users should stay calm, only interact through official channels, and never share their seed phrase with anyone, regardless of who claims to be.