ZachXBT's on-chain investigation shows that a vulnerability in the Trust Wallet browser extension has led to the theft of over $6 million in user assets. This article breaks down the details of the attack, the flow of funds, and user security blind spots.
The full picture of the ZachXBT investigation.
On-chain detective ZachXBT recently disclosed that a security incident involving the Trust Wallet browser extension is continuing to expand. According to its tracking results, multiple users' wallets have had their assets directly transferred without any proactive action taken, with preliminary estimates of losses reaching at least 6 million dollars.
Unlike common phishing links or authorization scams, the commonality of this incident lies in:
Multiple users are using the Trust Wallet browser extension \
There was no obvious interaction prompt when the assets were transferred.
The outflow of funds is highly concentrated in time \
These features led ZachXBT to determine that the event is more likely to stem from systemic risks at the wallet extension level rather than a single point of fraud.
The specific time and environment of the attack occurred.
From the on-chain timeline, the stolen transactions mainly occurred within a relatively short time window. Multiple victim wallets exhibited one-time emptying or large transfers almost simultaneously, and the target addresses were highly dispersed.
ZachXBT pointed out that most affected users were performing daily operations using browser extensions on the desktop, including DeFi interactions, wallet management, or asset viewing. This environment is inherently more susceptible to risks such as extension permissions and script injections compared to mobile.
Details of the theft: How hackers gained control
Based on the disclosed information, the attack was not carried out through traditional private key brute force cracking, but is more likely to involve one of the following paths:
Browser extension vulnerabilities were exploited, leading to the local exposure of private keys or mnemonic phrases \
There is an unauthorized access issue in the specific version.
Attackers can bypass user signature confirmation and directly initiate transfers \
Some victims reported that the wallet did not pop up any abnormal authorization window, yet assets were directly transferred in the background. This situation usually indicates that the attacker has obtained full control in advance, rather than a single authorization.
Funding transfer methods and on-chain characteristics
In on-chain data, several obvious characteristics can be observed:
The stolen assets include mainstream cryptocurrencies such as ETH, BTC, SOL, etc.
Quickly enter the transit address after the transfer is completed \
Then disperse through splitting, multi-hop transfers, or cross-chain methods \
This mode of operation shows that the attacker has mature on-chain money laundering experience and did not act on a whim. ZachXBT believes that some of the funds may have been further concealed through mixing or cross-chain bridges, making recovery difficult.
Key risk points at the user operation level
Although the vulnerability was not directly caused by users, ZachXBT also pointed out that some common usage habits may have amplified the risks:
Directly import the mnemonic phrase in the browser extension \
Long-term storage of large assets in hot wallets \
Install multiple Web3 plugins in the same browser \
Neglecting the updates and security announcements for the extended version \
In this case, once an exploit occurs in the extension, an attacker may gain full access to the entire wallet, leaving users with little to no response time.
Trust Wallet Follow-up Measures and Industry Warnings
After the incident was exposed, Trust Wallet officially issued a security alert, confirming that specific versions of browser extensions pose risks, and advised users to immediately upgrade or stop using the affected versions. The official statement also emphasized that no similar issues have been found in the mobile application.
From an industry perspective, this incident once again highlights a real issue: self-custody wallets do not equate to absolute security, as vulnerabilities at the tool level can also lead to systemic losses.
Summary
The Trust Wallet theft incident disclosed by ZachXBT is not a simple case of fraud, but rather a centralized security incident caused by a browser extension vulnerability. Behind the loss of at least 6 million dollars lies a complex interplay of wallet tools, security habits, and risk awareness.
For ordinary users, the core insight of this event is:
Do not rely entirely on browser extensions for long-term assets \
Stay updated on security announcements and version updates \
Clearly distinguish between hot wallets and cold storage \
In the context of increasingly complex cryptocurrency asset management, security itself has become a cost that cannot be overlooked.
* The information is not intended to be and does not constitute financial advice or any other recommendation of any sort offered or endorsed by Gate.
