Trust Wallet iMessenger Exploit Alert False Flag for Recent Security Failings and iOS App Vulnerabilities?

Key Takeaways

• Trust Wallet has sounded the alarm on a $2 million iMessage exploit package.
• Between 2017 and 2023 over $1 million BTC is estimated to have been lost to the vulnerability.
• Over 6500 ‘weak wallets’ may still be vulnerable to theft.

Following a streak of hacks, data breaches, and security issues, Binance’s very own Trust Wallet has alerted the crypto community to a new, unverified vulnerability in iMessage.

But it is not clear whether the vulnerability comes from Trust Wallet’s iOS app, a $2 million darkweb iMessages hacking kit, or a bug in Apple’s tech.

iMessage “Zero-Day” Exploit

Trust Wallet sounded the alarm on Monday, alerting the crypto community to a potential vulnerability in iMessage. Their evidence? A dark web marketplace called CodeBreach Lab advertising a $2 million zero-day iMessage exploit.

According to Trust Wallet, the situation isn’t exclusive to them and is “crypto-wide,” although MetaMask. As per their Twitter posts, users should disable iMessage and wait for Apple to patch the exploit.

The remote code execution (RCE) zero-day exploit supposedly allows the hacker to infiltrate a user’s iPhone without requiring them to click any links. For further context, a zero-day exploit is a technique that targets an unknown security flaw to access a system. Hence, the vendor has “zero days” to fix the issue.

There is no evidence that the exploit has been used or purchased for the $2 million price tag. Most interestingly of all, cybersecurity expert Dominic Alvieri believes this exploit advert to be fake.

We reached out to Trust Wallet with regards to the matter, they clarified:

“Notably, we’re not the only ones who have discovered this information; several other non-Trust Wallet security experts are involved as well. We felt it was crucial to share this rather than remain silent.”

However they didn’t address comments on the investigations into their iOS vulnerabilities. We have reached out to Apple and Alvieri who did not immediately respond.

Trust Wallet iOS Vulnerabilities

But, the matter isn’t clear cut and follows two separate investigations that found Trust Wallet iOS vulnerabilities dating back to 2018. According to analysts, on-chain data shows that between June 2017 and June 2024,

According to a January analysis from SECBIT Labs , on-chain data shows that the vulnerability affected wallets created between June 2017 and June 2024. Despite many wallets forking from Trust Wallet “[…]they may historically be or continue to be vulnerable.”

Additional investigation from Milk Sad  replicated similar results, adding that over 6500  Trust Wallet iOS addresses were still vulnerable. Findings estimate that the total BTC  ‘weak wallets’ have lost over $1 million to theft.

Without getting too technical, the reason behind the vulnerability appears to be a combination of issues. Firstly, a misuse of the “trezor-crypto library” by applying default cryptography to it. Secondly, SECBIT notes that the iOS app generates seeds in a manner unsuitable for cryptographic purposes, making them weak with predictable values and, therefore, vulnerable to brute force attacks.

Another investigation  from the U.S National Institute of Standards and Technology (NIST), centered itself on this very security flaw. After looking at how the application was improperly utilizing the trezor-crypto library for mnemonic keys, it ranked the vulnerability 7.5 out of 10.

So What’s Happening?

No matter how you look at it, things aren’t looking good for Trust Wallet. Its long spate of security troubles, along with this latest development, doesn’t bode well for a crypto wallet owned by the world’s leading cryptocurrency exchange, Binance.

Furthermore, the alert to the dark web vulnerability has only drawn skepticism to the fact that again, there is no evidence – as of yet – that the zero-day RCE hack package was sold or employed in any fashion.

Apple has yet to confirm if there is any issue on their side or if iMessage has been compromised. In the end, a lot of doubt has been cast over Trust Wallet’s intel and the intentions behind this alert.