🚨SlowMist: Analysis of Trust Wallet Browser Extension Hack🚨

Today, @TrustWallet issued a statement confirming that version 2.68 of the Trust Wallet browser extension contains a security risk. Below is our detailed breakdown:👇

https://twitter.com/TrustWallet/status/2004316503701958786

1️⃣A diff comparison between v2.67 and v2.68 revealed malicious code secretly inserted into the 2.68 update. This injected code iterates through all wallets stored in the extension, triggering a get mnemonic phrase request for each wallet. The encrypted mnemonic is then decrypted using the password or passkeyPassword entered during wallet unlock.

🕸️Once decrypted, the mnemonic phrase is sent to the attacker’s server: api.metrics-trustwallet[.]com

👁️Further analysis of domain information shows that the attacker used the domain metrics-trustwallet[.]com was registered on 2025-12-08 02:28:18 (registrar: NICENIC INTERNATIONAL). Network records indicate the first requests to api.metrics-trustwallet[.]com began on 2025-12-21, which aligns with the code backdoor insertion time on Dec 22.

2️⃣We further traced and reproduced the entire attack flow through code execution:

👉 After unlocking the wallet, the attacker populates the mnemonic data into the “Error” field (visible in register R1), this Error data is obtained through a call to the GET_SEED_PHRASE function.

👉 When the wallet is unlocked, the attacker obtains the password or passkeyPassword, then calls GET_SEED_PHRASE to retrieve the wallet’s mnemonic phrase (similarly for the private key), and then places the mnemonic phrase into the “errorMessage.”

👉 Traffic analysis through BurpSuite reveals that after retrieving the mnemonic, it is wrapped inside the request body’s errorMessage field and then transmitted to the malicious server (https[://]api[.]metrics-trustwallet[.]com), matching our previous assessment.

🧵Additionally, it appears the attacker is familiar with the extension‑source code, leveraging an open‑source full‑chain analytics platform — PostHog JS — to harvest wallet user information.

1/ Recently, the Multilateral Sanctions Monitoring Team (MSMT) released a report detailing how the #DPRK leverages cyber operations, overseas IT workers, and cryptocurrency schemes to evade UN sanctions, steal sensitive technology, and generate significant revenue.

🔐We summarize key findings from the report to help readers quickly understand the evolving trends and tactics of DPRK cyber threats — enhancing awareness and resilience against complex cybersecurity risks (This post does not represent any stance regarding the report’s conclusions‼️).

📎Report: msmt.info/Publications/d…

2/ 🔍DPRK Cyber Program

MSMT notes that DPRK cyber capabilities have rapidly advanced — now approaching the level of major cyber powers — with expanding #APT groups, research hubs, and global operations centered on both espionage and revenue generation.📊

3/ 💸Cryptocurrency Theft Activity

1️⃣Revenue & Impact:
• 2024: $1.19B+ stolen → ~50% YoY increase;
• Jan–Sep 2025: $1.645B stolen.
➡️Total: $2.8B+ (Jan 2024–Sep 2025)
• In 2024, ~⅓ of DPRK’s foreign currency income came from crypto theft.

2️⃣Groups & Organizations:
#TraderTraitor, #CryptoCore, #CitrineSleet + DPRK IT Workers.

3️⃣TTPs (Techniques, Tactics & Procedures):
• Social Engineering & Spear-#Phishing (e.g., Contagious Interview, #ClickFake, #Wagemole)
• Ransomware & Sale of Stolen Data
• Collaboration with Foreign Cybercriminals
• Leveraging Artificial Intelligence Tools 🤖

Brief Analysis of TornadoCash Governance Exploit

On May 20, 2023, @TornadoCash suffered a governance attack, in which exploiters took control of the governance of TornadoCash by executing a malicious proposal.

Let's see how it happened:

Exploiters first created the proposal… twitter.com/i/web/status/1…

On 2023-05-13 at 7:22 (UTC), exploiters initiated the #20 proposal and explained in the proposal that the #20 proposal is a supplement to the #16 proposal and has the same execution logic.

But in fact, the proposal contract has an extra self-destruct logic, and its creator, 0x7dC86183274b28E9f1a100a0152DAc975361353d, was created through create2 and has a self-destruct function, so after it self-destructed with the proposal contract, the exploiters could still… twitter.com/i/web/status/1…

🚨SlowMist Security Alert 🚨

On May 11th, a user reported a phishing attack leading to the loss of their wallet assets, raising security concerns around permit signatures. This thread is dedicated to understanding the nature of this theft and how we can stay secure.🔐👇

Full… twitter.com/i/web/status/1…

The victim reported that they inadvertently clicked on a phishing website (syncswap[.]network) and ended up losing over $100. As insignificant as this may seem, it emphasizes the potential security risks in the blockchain space.🔗

An analysis of the transactions reveals a… twitter.com/i/web/status/1…

We found an additional permit operation related to the contract caller address. To understand its implications, we need to first understand what a permit is. In the ERC20 protocol, it allows users to interact with smart contracts using an authorization signature (permit). 📝💼… twitter.com/i/web/status/1…

🚨SlowMist Security Alert🚨

Recently, there have been a lot of asset thefts caused by shared #Apple IDs. We believe that the key is "apps are not bound to device codes".

1/ This is an issue prevalent in 99% of #wallets, trading apps,and other apps. It's a concern we've voiced a long time ago. However, due to it not being considered in the initial stages of app design, the majority of apps in the market have yet to rectify this issue.

2/ This lack of binding can lead to data being dragged off or maliciously synchronized to other devices, resulting in potential breaches. Combined with other techniques such as social engineering, brute force attacks to obtain passwords, this can lead to theft of assets.

How effective is GPT for auditing smart contracts?

We conducted a series of tests to assess the performance of GPT-3.5(Web), GPT-3.5-turbo-0301, and GPT-4(Web) in detecting vulnerabilities within Solidity smart contracts.

🧵👇 for TLDR
slowmist.medium.com/how-effective-…

Test Environment & Methodology:

We utilized simple vulnerability codes and moderately complex vulnerability codes as test cases.

The comparative analysis focused on the three GPT models' ability to identify these vulnerabilities.

Test Results:

For simple vulnerabilities, all three GPT models performed well. However, when it came to more complex vulnerabilities, the models fell short.

GPT-4(Web) showcased exceptional readability but didn't surpass GPT-3.5(Web) or GPT-3.5-turbo-0301 during auditing.