Cryptohack Update: $7 Million Trust Wallet Breach

Each week, Information Security Media Group summarizes notable cybersecurity incidents within the digital assets sector. This week’s highlights include a $7 million Trust Wallet extension hack, the arrest of a former Coinbase support employee, a U.S. lawsuit against alleged scammers of a $14 million scheme, updates on a Polymarket hack, upcoming early release for the former Alameda CEO, and backlash surrounding Flow’s post-exploit rollback strategy linked to a holiday Bitcoin scam.

See Also: Compliance Team Guide for Evasion Prevention & Sanction Exposure Detection

Recently, Trust Wallet reported that cybercriminals had siphoned approximately $7 million in cryptocurrency from nearly 3,000 wallet addresses by exploiting its Chrome browser extension. The incident began when hackers released a malicious update to the extension that was armed with JavaScript designed to extract sensitive wallet data. Trust Wallet confirmed that the attackers utilized a compromised Chrome Web Store API key to circumvent internal security measures and pass Google’s oversight.

To address the breach, Trust Wallet urged users to update their browser extensions, revoked all corresponding APIs, and collaborated with the domain registrar NiceNIC to dismantle the data-exfiltration apparatus. Despite these efforts, phishing campaigns impersonating Trust Wallet persisted, further seeking to deceive users into divulging recovery seed phrases.

The company identified around 2,600 impacted wallets and initiated compensation for victims while warning users against counterfeit support channels and encouraged them to diligently verify links and keep private keys secure.

Authorities in India arrested a former customer service representative from Coinbase in Hyderabad, accused of facilitating a data breach that compromised sensitive customer information. This act is a continuation of an inquiry initiated by Coinbase CEO Brian Armstrong, which could potentially uncover additional guilty parties.

The breach originated in May 2025, when it was disclosed that a group of rogue support agents allowed hackers to gain unauthorized access to a sensitive database. The assailants demanded a ransom of $20 million to prevent the public dissemination of stolen data, affecting approximately 69,500 customers and exposing crucial personal details including names, contact information, and the last four digits of Social Security numbers among other sensitive documentation.

It was revealed that the compromise stemmed from TaskUs, a customer support contractor located in India, which had employees bribed to provide unauthorized access. TaskUs stated that two individuals were implicated and that necessary departmental shutdown actions had been implemented.

The U.S. Securities and Exchange Commission (SEC) has filed charges against three cryptocurrency trading platforms and four investment clubs, allegedly involved in an extensive online scam that deceived investors out of more than $14 million.

According to SEC reports, the fraudulent operation extended for a year starting in January 2024, ensnaring victims within WhatsApp-based investment groups where swindlers masqueraded as financial experts. They distributed what officials described as AI-generated investment strategies to build false credibility and create a facade of profitability. Victims were directed to set up accounts on fake platforms such as Morocoin, Berge, and Cirkor, which conducted no actual trading.

The alleged fraudsters escalated their scheme by promoting fictitious token sales and imposing additional fees on investors attempting to access their funds. The SEC revealed that the misappropriated funds were funneled overseas via banking and cryptocurrency wallets.

Polymarket, a decentralized prediction market platform, disclosed that a recent security incident affecting multiple user accounts was linked to vulnerabilities in a third-party authentication service. Users reported unauthorized access to their accounts, during which attackers executed unauthorized transactions and emptied their balances.

Affected individuals noted suspicious login attempts preceding the incidents, despite their devices and email accounts showing no indications of compromise. The breach appeared to primarily impact those who registered through Magic Labs, known for email-based logins that auto-generate non-custodial Ethereum wallets, a method often preferred by novice crypto users.

Polymarket confirmed the issue on its Discord platform, stating it affected a limited number of accounts and was promptly addressed. The firm has reached out to the impacted users but has not disclosed any specific details concerning the number of accounts affected or the overall financial losses.

Caroline Ellison, the former co-CEO of Alameda Research, is scheduled for release from federal custody on January 2. Having spent her recent months in community confinement following a transfer from Connecticut, her release coincides with a sentence reduction for her involvement in the FTX collapse.

Ellison pleaded guilty in December 2022 to various fraud and conspiracy charges. Her cooperation with federal prosecutors was instrumental in securing a conviction against FTX founder Sam Bankman-Fried, who subsequently received a 25-year prison sentence.

In September 2024, Ellison received a sentence of two years and was ordered to forfeit $11 billion. Notably, her early release comes about 10 months earlier than anticipated. The FTX bankruptcy proceedings credited Ellison with assisting in recovering substantial sums for creditors, and as part of her sentence, she has accepted a 10-year prohibition from serving as an officer in any public entities or cryptocurrency exchanges while being placed under supervised release.

The Flow blockchain has announced plans to resume operations following a rollback of its transaction history, targeting a checkpoint before a recent $3.9 million exploit made public on December 27. This decision has sparked criticism among cross-chain bridge operators and ecosystem partners.

Validators had approved the rollback after identifying an execution-layer vulnerability through which an attacker could artificially mint Flow and bridged assets, including WBTC and WETH. Alex Smirnov, co-founder of a bridging service, criticized Flow’s unilateral decision to proceed with the rollback without engaging key partners like major bridges and a centralized exchange, suggesting it would fail to deter the attacker, who had already removed the funds off-chain.

These actions are seen as potentially detrimental to honest users and liquidity providers transacting within the affected timeframe. deBridge has since implored Flow to consider a targeted hard fork to address the vulnerability and blacklist corrupt addresses rather than reverting the ledger. In response, Flow has committed to enhancing their stakeholder coordination and reviewing feedback as they navigate their recovery efforts.

During the Christmas season, Grubhub users and partner merchants reportedly received fraudulent emails suggesting a tenfold return on cryptocurrency investments if funds were sent to a designated wallet. These messages, misleadingly branded as a “holiday crypto promotion,” originated from email addresses affiliated with b.grubhub.com, casting doubt on their legitimacy due to the use of a real subdomain intended for partner communication.

In some instances, the emails contained recipients’ names, enhancing their credibility. The communication compelled recipients to act swiftly, suggesting a limited-time opportunity to engage, thus employing a classic crypto reward scam format whereby victims are misled into forwarding funds under the pretense of receiving enhanced returns.

While speculation arose regarding possible DNS or email system compromise, Grubhub has not yet confirmed the specific technological vulnerabilities involved. However, the company indicated that unauthorized messages were identified and quickly contained, taking measures to ensure this situation does not repeat in the future.