Trust Wallet Raises Alarm Over Zero-Day Exploit Threat on iMessage

The company explained that the vulnerability poses a direct threat to crypto wallets on iPhones with iMessage enabled.

Trust Wallet alerted Apple users to disable iMessage due to a zero-day exploit that could compromise iPhones and access crypto wallets without user interaction, a claim that was confirmed by CEO Eowyn Chen. Despite skepticism from some industry experts, the warning followed very closely after Apple addressed some other iOS vulnerabilities recently. Meanwhile, other crypto-related crimes have also been reported, including a multi-million dollar cryptojacking scam led by Charles O. Parks III and a security breach in the Grand Base tokenization protocol resulting in big financial losses. Additionally, the Filecoin Foundation still faces challenges with unauthorized activities in its Filecoin Liquid Staking protocol.

iPhone Security Under Threat

Crypto wallet provider Trust Wallet has issued a warning to Apple users to disable iMessage after receiving what it calls “credible intel” about a zero-day exploit that could allow hackers to take control of users' phones. The alert was shared on X, stating that the exploit is particularly dangerous because it can compromise iPhones without the user clicking on any link, and that people with high-value accounts are at great risk.

The company explained that the vulnerability poses a direct threat to crypto wallets on iPhones with iMessage enabled. Trust Wallet's CEO, Eowyn Chen, supported the claim by posting a screenshot of an alleged dark web listing offering the exploit for $2 million.

However, this warning has been met with skepticism by some in the industry. A pseudonymous blockchain researcher, Beau, criticized the firm’s reliance on a mere screenshot as proof of the exploit, suggesting that such evidence is certainly not sufficient enough to substantiate the claims of an iOS vulnerability. Beau believes that the alert could unnecessarily cause panic among users.

The reaction on X has been huge, with more than 1.2 million views of the post in the first four hours. Despite the initial alarm, Trust Wallet later stated that their information came from their security team and partners who continuously monitor for threats.

This incident comes shortly after Apple had to release emergency updates to address two other zero-day vulnerabilities in iOS that were actively exploited last month. Security researchers have previously noted that Apple’s iMessage is a common target for hackers.

Concerningly, cybersecurity firm Halborn reported last month that more than 280 blockchain networks are susceptible to zero-day exploits, potentially endangering approximately $25 billion in cryptocurrency.

What is a Zero-Day Exploit?

A zero-day attack exploits a software vulnerability unknown to the software vendor or developer, often discovered only when the attack actually happened. This leaves the developer with "zero days" to fix the issue, hence the term "zero-day." The primary defense against such attacks involves regular software updates and the use of host intrusion prevention systems. However, even the most updated antivirus software might not detect a zero-day attack since it operates on vulnerabilities that are not yet publicly recognized.

Zero-day vulnerabilities are analogous to an unlocked car door that the owner mistakenly believes is locked. These vulnerabilities can be exploited without immediate detection, allowing hackers to access sensitive data. Both criminal hackers and government security agencies have been known to exploit zero-day vulnerabilities for their respective purposes, whether for theft, surveillance, or other objectives. Governments, in particular, are big drivers in the market for zero-day exploits due to their need for surveillance tools.

The trade in zero-day vulnerabilities happenes across various markets. In the dark market, criminals exchange information on exploiting software vulnerabilities. In the gray market, researchers and companies may sell this information to military and intelligence agencies. Meanwhile, in the white market, companies pay security researchers to find and report vulnerabilities so they can be patched before being exploited by criminals.

Prices for zero-day exploits can range significantly, depending on their utility and the market, with proofs-of-concept often required before transactions are completed. While zero-day attacks can sound severe, their actual threat can vary, with some governments finding simpler methods to achieve similar objectives without the need for these exploits.

Man Charged in Multi-Million Dollar Cryptojacking Scam

Meanwhile, Charles O. Parks III, known by the alias “CP3O,” has been charged by U.S. prosecutors with wire fraud, money laundering, and engaging in unlawful monetary transactions after allegedly conducting a large-scale cryptojacking operation that defrauded two well known cloud computing providers of $3.5 million. According to the Brooklyn U.S. Attorney’s Office, Parks used this illicitly gained computing power to mine cryptocurrencies worth about $970,000, including Ether (ETH), Litecoin (LTC), and Monero (XMR).

Parks created multiple fraudulent accounts under a number of fake names and corporate identities, like MultiMillionaire LLC and CP3O LLC, to access enhanced services and deferred billing from these cloud providers—one based in Seattle and the other in Redmond, Washington. The operation ran from January to August of 2021, during which Parks managed to avoid payment while consuming huge amounts of resources from the companies.

As the providers began to question the unusual data usage and unpaid bills, Parks allegedly engaged in further deceit to maintain access. He is accused of laundering the proceeds from his mining activities through a decentralized crypto exchange and a New York City-based NFT marketplace, among other channels. He structured transactions to dodge the $10,000 minimum reporting requirement, often transferring sums just under this threshold.

Parks was arrested in Nebraska on Apr. 13 and now faces a potential maximum sentence of 50 years in prison if he is convicted on all charges. His extravagant purchases apparently include a luxury Mercedes Benz, jewelry, and first-class travel accommodations. U.S. Attorney Breon Peace and his office is very committed when it comes to prosecuting people who exploit advanced technologies to carry out traditional fraud schemes. Parks is scheduled for a court appearance in Omaha on Apr. 16.

Grand Base Token Value Plummets After Exploit

Base was also one of the latest victims of crypto crime. The Grand Base tokenization protocol, which facilitates the creation of ERC-20 tokens representing real-world assets, experienced a security breach leading to the loss of $1.7 million. Grand Base operates on Coinbase's native layer-2 blockchain Base. The protocol faced an exploit when a hacker compromised a private key and accessed its contracts. This breach happened early on Apr. 15, according to a protocol administrator in the Grand Base Telegram chat, who also warned users against interacting with the compromised contract.

Blockchain analytics firms PeckShield and CertiK provided a bit more details into the incident. PeckShield reported that the stolen funds were very quickly converted to ETH and moved to an external address. Meanwhile, CertiK's analysis suggested that the hacker managed to take control of the deployer contracts, which allowed the unauthorized minting of a large number of GB tokens, which were then extracted. This resulted in the protocol’s native token plunging by 99% in value within just 24 hours.

In response to the breach, Grand Base personnel informed the community that they were able to track the hacker's wallet addresses and were coordinating with centralized exchanges to potentially freeze any transferred funds. Despite these efforts, the sentiment in the Grand Base community has turned pretty negative, with users advising each other to withdraw from the protocol and stop any further investments.

Grand Base, which launched less than five months before the exploit, planned to offer a platform for tokenizing real-world assets and providing liquidity to earn rewards. Now, the future of the protocol hangs in balance as the team works to address the security lapse and restore trust among its users.

Filecoin's Ongoing Struggle

The Filecoin Foundation, a nonprofit dedicated to supporting the Web3 storage protocol Filecoin, is currently dealing with the aftermath of unauthorized activities in the Filecoin Liquid Staking (STFIL) protocol. Early in April, the STFIL protocol experienced a halt in withdrawals after a developer wallet conducted several unexpected upgrades and moved $23 million in Filecoin tokens to an unknown address. This issue escalated when the STFIL team disclosed on Apr. 8 that core technical members had been detained by local Chinese authorities, and these upgrades and transactions happened during their detention.

Danny O’Brien, a senior fellow at the foundation, revealed in a social media post on Apr. 13 that the foundation has enlisted the help of a legal representative in China to investigate the situation. He is confident that the detained STFIL team members are indeed in police custody, although it is still a bit uncertain if the police have control over the transferred funds. The foundation anticipates acquiring more definitive information within the next week and plans for their lawyer to represent all affected staking providers and leasers in potential court proceedings.

O’Brien committed to providing any new updates once the details of their approach are solidified. He also urged those who lost funds to submit their contact information through a designated Google Doc or Slack Channel to make communication and support possible.

Filecoin operates as a decentralized storage solution that enables PC owners to rent out disk space, securing transactions with FIL tokens as collateral. Through FIL staking, token holders can lend their tokens to storage providers, earning a share of the fees generated.

The STFIL protocol, in particular, aggregates FIL tokens for staking through a network of trusted providers. Users typically receive STFIL tokens equivalent to their deposited FIL plus any accrued staking rewards. However, due to the recent disruptions, the redemption of these tokens has been suspended.

This incident is not isolated within the Web3 protocols in China, with previous cases like the Multichain platform seeing over $1.5 billion frozen after the arrest of its development team, and no recovery of funds to date. The Fantom Protocol, which was heavily impacted by the Multichain situation, declared bankruptcy in March while pursuing the lost funds through legal channels—a process expected to take years, according to Fantom co-founder Andre Cronje.