Trust Wallet Extension major hacking incident, false claims emerge during compensation review | Only 2,600 out of approximately 5,000 claims are confirmed as legitimate damages

The Credibility Issue of Compensation Claims Comes to Light

Self-custody wallet “Trust Wallet” faces new challenges in its compensation response. According to CEO Ewin Cheng, regarding the malicious code injection incident into the browser extension on December 25, the number of compensation claims received has reached approximately 5,000, while the actual number of affected wallets remains at 2,596.

Regarding this significant discrepancy, Cheng commented, “There is a high possibility that many of these are false or duplicate claims.” The company has announced a policy to prioritize accuracy over speed and has implemented a strict verification process to ensure that only legitimate victims are compensated.

Technical Forensics Identify Victims

The Trust Wallet team is currently conducting complex verification procedures. The identification method they employ combines multiple data points such as transaction history, extension version information, and wallet ownership proof. Cheng also pointed out that there are signs the attacker had a deep understanding of Trust Wallet’s source code, and parallel technical forensic investigations are underway.

The total estimated damage amount is about $7 million (approximately 1.1 billion yen), and related parties including the parent company and individuals like Champong Zhao have expressed their commitment to fully compensate legitimate victims. However, the company has clarified that refunds will be processed gradually to prevent funds from flowing to false claimants, establishing a system to prevent fraudulent claims.

Reality of Security Threats

The hacking incident was caused by malicious code embedded in the Chrome browser extension (version 2.68). After being pointed out by cryptocurrency researchers, the company urgently released a fixed version (version 2.69) and recommended users disable the extension.

Importantly, there is no impact on mobile apps or other browser extension versions. The company responded swiftly to prevent further damage, and on December 27, officially began accepting victim claims through their support portal.

Warning Against Phishing Scams

With the start of the compensation process, new risks have emerged. There have been reports of phishing scams where fraudsters prompt users to input information into suspicious forms under the guise of compensation. Trust Wallet warns users to only follow official support pages and not respond to unofficial guidance.

When victims apply for compensation, they are required to submit information such as email address, wallet address, and attacker’s receiving address through a dedicated form.

Warning to the Entire Self-Custody Wallet Industry

This incident has exposed the Achilles’ heel of the self-custody wallet industry. As browser extension wallets become more widespread, the software update delivery channel (supply chain) is increasingly recognized as a potential attack entry point.

Industry insiders point out that, even for self-custody wallets where users hold their private keys, there remains a reliance on centralized distribution and software updates. Experts emphasize that utilizing reproducible builds, strengthening integrity checks, and decentralizing update distribution are essential for improving trustworthiness. A review of security standards across the industry is urgently needed.

The company’s response is likely to set an important precedent for compensation systems and security verification methods in the cryptocurrency wallet industry.