Binance CEO Changpeng Zhao has clarified that funds are "SAFU" following the latest Trust Wallet Hack.
The company will use its own treasury to reimburse the victims of the $7 million theft.
The details of the hack
The Trust Wallet Browser Extension Version 2.68 was recently compromised.
Attackers utilized a vulnerability in this specific version to drain cryptocurrency from users' wallets.
Wallet has acknowledged the breach and released a patched version (Version 2.69) to fix the security hole.
Users running Trust Wallet Browser Extension Version 2.68 on desktop are currently at risk. Do not click on the extension icon or try to open it. Opening the compromised version (2.68) may trigger the exploit and drain your funds.
PeckShield reported that the scale of the theft is significant and larger than initially estimated.
Early reports stated that $2.8 million had been stolen, but further analysis confirmed that this figure could reach $6 million.
The attackers are actively moving the stolen funds to mix them or cash them out.
Approximately $2.8M is still sitting in the attacker's addresses across Bitcoin, EVM (Ethereum Virtual Machine) chains, and Solana.
The majority (more than $4M) has been sent to centralized exchanges ($3.3 million to ChangeNOW, $447,000 to KuCoin, $340,000 to FixedFloat).
An inside job?
He notes the team is investigating how hackers were able to "submit a new version" (Version 2.68) to the Chrome Web Store. This implies the hack was a compromise of the release pipeline.
The security failure likely involved a compromised employee or a rogue developer who had the credentials to push an update to the Google Web Store.
Dan Burgin
Vladislav Sopov
U.Today Editorial Team