Trust Wallet Compensation Confusion, Challenges in Identifying True Victims | 5,000 Fraudulent Claims Discovered

The Gap Between Compensation Claims and Actual Damage Becomes Clear

Unforeseen challenges faced by the self-custody wallet “Trust Wallet” have come to light. According to the company’s CEO, Ewin Cheng, the number of compensation claims related to the hacking incident that exploited the browser extension on December 25th has reached about 5,000 cases, while the actual number of affected wallets is only 2,596. Regarding this discrepancy of more than double, Cheng pointed out the possibility that many claims may include false reports or duplicate registrations. Trust Wallet has begun implementing a new process to rigorously verify the legitimacy of damages to ensure the reliability of compensation.

The total estimated loss from this security breach is approximately $7 million (about 1.1 billion yen), and the company has already announced a policy to fully compensate legitimate victims.

The Reality of the Damage: Asset Outflows Due to Malicious Code Injection

The direct cause of the incident was the embedding of malicious code into version 2.68 of Trust Wallet’s Chrome extension. Attackers exploited this vulnerability to successfully transfer users’ cryptocurrencies fraudulently. Cryptocurrency security researcher ZachXBT was the first to point out this abnormality, prompting the company to immediately begin measures to prevent further damage.

Importantly, it has been confirmed that mobile apps and other browser extensions are unaffected. The company urgently released version 2.69 as a fix and recommended users disable the extension.

Progress in Compensation and Stricter Verification

On December 27th, Trust Wallet opened a compensation claim portal for victims on its official support site. Applicants are required to submit necessary information such as email address, wallet address, and the recipient address of the attacker via a dedicated form.

The parent company of Trust Wallet, a major exchange founder Zhao Changpeng, publicly stated on X that the company will bear the full amount of the losses. Meanwhile, the company is warning against phishing scams that may attempt to exploit the compensation process and advises users not to respond to any compensation forms outside the official support page.

Strengthening Verification Processes: Identifying True Victims

Trust Wallet’s verification team is currently scrutinizing a large volume of compensation claims. According to Cheng, they are using multiple data points—such as transaction history, extension version information, and proof of wallet ownership—to distinguish genuine victims from malicious applicants.

The company has clearly prioritized verification accuracy over speed of compensation and is intentionally adjusting the payout process to prevent fraudulent claims.

In parallel, a technical forensic investigation has found traces indicating that attackers had deep knowledge of Trust Wallet’s source code structure. The investigation into possible internal involvement is ongoing, but no conclusive evidence has been found at this stage. The investigation continues comprehensively with the assistance of external experts.

Fundamental Vulnerabilities of Self-Custody Wallets

This incident has exposed the inherent risks of the concept of self-custody wallets. Especially with the proliferation of browser extension wallets, the supply chain for software updates is increasingly recognized as a new attack vector.

Several wallet providers have pointed out that even in self-custody wallets where users manage their private keys, there remains a dependency on centralized mechanisms for app distribution and software updates. Industry insiders suggest that “even in user-controlled private key wallets, a single point of failure may exist in app distribution or software updates,” and recommend adopting reproducible build methods, strengthening integrity checks, and decentralizing update delivery to improve reliability.

This perspective is prompting a shift in security awareness across the entire self-custody wallet market.

Prices are converted at the rate at the time of writing (1 USD = 156.24 JPY).