Trust Wallet User Loses Funds to Malicious Approvals

Last week, a Trust Wallet user suffered a sudden overnight loss of his funds, as detailed in a recent report shared with BeInCrypto. When he contacted the wallet to find out what had happened, they informed him that he had unknowingly granted permissions to malicious websites or applications.

Eve Lam, Chief Information Security Officer at Trust Wallet, said in an interview with BeInCrypto that most unauthorized cryptocurrency withdrawals originate from user issues. Dmytro Yasmanovych, Head of Compliance at Hacken, shared this perspective and provided guidance on steps users should take if they suspect their cryptocurrency wallet has been compromised.

An Overnight Loss

Last week, Matias, a crypto user from Chile, went to sleep without a care in the world. By the time he woke up, however, that all changed. According to details shared with BeInCrypto, when Matias accessed his Trust Wallet, he saw that his funds had been withdrawn from his account.

A situation like this had never happened to him in his five years using his mobile wallet. Matias soon noticed that at 8 a.m., a small amount of crypto had been deposited in his account. Shortly after that, his account was emptied.

Matias had no idea how such a thing could happen. After contacting Trust Wallet’s security team for an explanation, he learned that the problem originated from something he had done inadvertently. 

“Based‬‭ on‬‭ our‬‭ internal‬‭ data‬‭ and‬‭ incident‬‭ response‬‭ investigations,‬‭ the‬‭ vast‬‭ majority‬‭ of‬‭ unauthorized‬‭ withdrawals are traced back to user-side issues,” Lam told BeInCrypto.

She explained many ways users can accidentally share sensitive information with malicious actors.

The Reality of User-Side Vulnerabilities

Trust Wallet’s analysis of its internal data and incident response investigations indicates that user-side issues cause most unauthorized cryptocurrency withdrawals.

These frequently involve leaked or compromised seed phrases, often resulting from social engineering tactics, insecure storage, and malicious smart contract approvals granted by users.

Device-level compromises and other incidents, like SIM swap attacks or theft of unlocked devices, also contribute to these unauthorized withdrawals.

“In‬‭ all‬‭ these‬‭ cases,‬‭ the‬‭ Trust‬‭ Wallet‬‭ app‬‭ itself‬‭ is‬‭ not‬‭ breached—the‬‭ issue‬‭ stems‬‭ from‬‭ the‬‭ external‬‭ environment‬‭ in‬‭ which‬‭ it’s‬‭ being‬‭ used‬‭ or‬‭ from‬‭ actions‬‭ taken‬‭ prior‬‭ to‬‭ installation,” Lam detailed. 

These exploitation methods are now among the most common attack techniques for stealing cryptocurrency from mobile wallets.

User Error vs. Wallet Hacks: Where Do Most Losses Occur?

While Hacken lacks specific internal data on evolving mobile wallet attack trends, Yasmanovych explained to BeInCrypto that fund losses enabled by user actions are increasingly evident in the cases the cybersecurity company investigates. 

“What‬‭ we’re‬‭ seeing‬‭ in‬‭ our‬‭ investigations‬‭ and‬‭ tooling‬‭ points‬‭ to‬‭ a‬‭ much‬‭ broader‬‭ issue:‬‭ most‬‭ large‬‭ scale‬‭ losses‬‭ in‬‭ crypto‬‭ today‬‭ are‬‭ less‬‭ about‬‭ mobile‬‭ malware‬‭ and‬‭ more‬‭ about‬‭ failures‬‭ in‬‭ signer‬‭ workflows,‬‭ interface‬‭ security,‬‭ and‬‭ access‬‭ control,” ‭Yasmanovych outlined.

Signer workflows involve authorizing cryptocurrency transactions with private keys. If these keys are compromised, it enables direct, unauthorized transaction signing. Meanwhile, flawed user interfaces (UIs) in crypto wallets and dApps can mislead users into harmful transactions. Attack methods include address poisoning, where attackers create similar-looking addresses to intercept funds. 

They also deploy spoofed or malicious dApps designed to steal credentials or induce harmful transaction signings. Additionally, UI redressing involves deceptive overlays that trick users into performing unintended actions.

Oftentimes, users also unknowingly authorize malicious smart contracts.

“‬That’s‬‭ an‬‭ important‬‭ point—malicious‬‭ approvals‬‭ can‬‭ exist‬‭ before‬‭ Trust‬‭ Wallet‬‭ is‬‭ ever‬‭ installed, especially‬‭ if‬‭ a‬‭ user‬‭ interacted‬‭ with‬‭ Web3‬‭ apps‬‭ using‬‭ other‬‭ wallets‬‭ or‬‭ browsers,” Lam warned. 

Once such a scenario occurs, it’s extremely hard to recover funds.

The Challenge of Fund Recovery

Given its status as a non-custodial wallet, Trust Wallet cannot reverse crypto transactions after a scam. Nevertheless, it assists users by performing on-chain analysis to trace stolen funds. It also provides detailed incident reports for law enforcement and sometimes collaborates with forensic firms. 

Despite these efforts, the likelihood of recovering funds remains very low.

“Success‬‭ depends‬‭ heavily‬‭ on‬‭ early‬‭ action.‬‭ When‬‭ funds‬‭ reach‬‭ CEXs‬‭ and‬‭ users‬‭ promptly‬‭ file‬‭ [law enforcement] reports,‬‭ there’s‬‭ a‬‭ non-zero‬‭ chance‬‭ of‬‭ asset‬‭ freezes.‬‭ Across‬‭ all‬‭ scam-related‬‭ cases,‬‭ the‬‭ recovery‭ success‬‭ rate‬‭ is‬‭ low‬‭, but‬‭ when‬‭ centralized‬‭ endpoints‬‭ are‬‭ involved‬‭ and‬‭ law‬‭ enforcement‬‭ is‬‭ engaged‭ quickly, we’ve seen funds recovered, like a case we assisted in with ~$400k traced,” Lam told BeInCrypto.

As a result, user education remains the most effective way to prevent the issues that cause these losses.

Beyond Detection: What Preventative and Reactive Steps Are Crucial?

Trust Wallet has a built-in Security Scanner that flags real-time threats such as interactions with known scammer addresses, phishing sites, and suspicious approvals. But sometimes, these warning signs aren’t enough. 

To safeguard cryptocurrency wallets, Yasmanovych advised that organizations and individuals should implement Cryptocurrency Security Standard (CCSS) controls for managing keys and ensuring operational security.

“Define‬‭ clear‬‭ actions‬‭ for‬‭ when‬‭ a‬‭ key‬‭ is‬‭ suspected‬‭ compromised,‬‭ including‬‭ revocation,‬‭ fund‬‭ migration, and audit, require [Multi-factor authentication] for all access to wallet systems and key handling interfaces, use‬‭ quorum-based‬‭ access‬‭ to‬‭ prevent‬‭ any‬‭ single‬‭ actor‬‭ from‬‭ compromising funds, [and] implement‬‭ encrypted,‬‭ geo-distributed‬‭ backups‬‭ with‬‭ clearly‬‭ defined‬‭ restore‬‭ procedures‬‭ to‬‭ ensure resilience without centralizing risk,” he explained. 

Yasmanovych also stressed the importance of knowing what to do after these exploits happen. 

“If you suspect your cryptocurrency wallet has been compromised, act immediately:‬ Report‬‭ the‬‭ incident‬‭ to‬‭ law‬‭ enforcement‬‭ and‬‭ engage‬‭ crypto forensics professionals‭, track‬‭ stolen‬‭ funds‬‭ using‬‭ chain‬‭ analysis‬‭ tools‬‭ to‬‭ monitor‬‭ movement‬‭ and‬‭ identify‬‭ mixers‬‭ or‬‭ exchanges involved, [and] submit requests to exchanges with KYC data for frozen fund attempts,” he added.

Despite these measures, the reality remains that user-side vulnerabilities continue to lead to losses.

The Enduring Challenge of User Vulnerabilities in Mobile Wallets

Even with proactive security measures, the ongoing regularity of fund losses raises significant concern. The regularity of these events highlights the persistent challenge of user-end vulnerabilities when using mobile wallets.

The path to a safer Web3 inherently requires a balance between strong security protocols and proactive user preparedness. Consequently, a sustained commitment to user education and the widespread adoption of these protective measures remains vital for effectively reducing exploits and establishing a more secure environment across the industry.