Wallets
Is Trust Wallet Safe? 2026 Security Review for Australians
How Trust Wallet's security architecture works, its documented incident history, and the scams that target its users — the verified facts for 2026.
By
YCG Research Desk
Published
12 June 2026
Fact-checked & updated
12 June 2026
Trust Wallet is a free, self-custody hot wallet: private keys are generated and stored on the user’s own device, never on a company server. Its cryptographic core is open-source and independently audited, but it has two documented security incidents, both in its browser extension, and no Australian compensation scheme covers losses. The record, set out below, is what readers can weigh.
This review covers the architecture, the incident history, the scams that drive most reported losses, and what a hot wallet structurally cannot do — the same framework we apply across our crypto wallet guides.
What Trust Wallet is
Trust Wallet was founded in 2017 by developer Viktor Radchenko as an Ethereum token wallet and now supports more than 100 blockchains through a mobile app (iOS and Android) and a browser extension. Trust Wallet states it has more than 200 million users worldwide, making it one of the most downloaded self-custody wallets.
The ownership history matters because it is frequently misreported. Binance acquired Trust Wallet in July 2018 — its first acquisition. Binance subsequently sold its shareholding, and in 2025 a Binance spokesperson confirmed that Trust Wallet is a separate legal entity, not part of the Binance group, operating independently of Binance.com. Throughout every ownership phase the wallet has been non-custodial: no parent company ever held users’ private keys.
Non-custodial is the defining design choice. Trust Wallet’s terms of service state that the company does not gain or retain users’ wallet passwords, private keys or secret phrases, and that users bear “exclusive responsibility for the preservation and security” of their recovery phrase. The terms expressly disclaim liability for losses that follow from a lost or stolen phrase.
How the security architecture works
Trust Wallet’s published security documentation describes the following architecture:
- On-device key storage. Private keys are generated on the device, encrypted with AES, and never transmitted over the internet. The app passcode is hashed and held in the device’s tamper-resistant key store, and the app can require biometric authentication before transactions.
- Open-source cryptographic core. The key-handling library, Wallet Core, is published under an open-source licence on GitHub, where its code and audit directory are publicly inspectable. The full consumer application is not entirely open-source.
- Third-party audits. Trust Wallet states it commissions more than 30 audits annually. Published reports include CertiK and Cure53 (2023, browser extension), Kudelski (2023, cryptography), Salus (2024, penetration testing), and Halborn and Quantstamp (2024–2025, swap and smart-account contracts).
- Transaction risk screening. A built-in Security Scanner assigns a risk level to outgoing transactions and flags known malicious addresses and dApps. Screening tools reduce, but do not eliminate, exposure to fraudulent transactions.
- Bug bounty and disclosure policy. A public vulnerability-disclosure programme operates through the wallet-core repository; the 2022 vulnerability described below was reported through it.
- Hardware wallet integration. The browser extension supports Ledger devices, allowing keys to remain on a hardware device while using Trust Wallet’s interface.
None of this makes the wallet immune to compromise. It is a hot wallet: the keys live on an internet-connected device and share that environment with every app, browser tab and message the device receives.
The documented incident history
| Date | What happened | Documented losses | Company response |
|---|---|---|---|
| Nov 2022 (disclosed Apr 2023) | A WebAssembly flaw in Wallet Core used a weak random-number generator (Mersenne Twister with a 32-bit seed), making addresses created in the browser extension between 14–23 Nov 2022 computable by attackers. Found by Ledger Donjon researchers via the bug bounty. | ~US$170,000 | Public post-mortem; reimbursement of verified losses plus gas-fee assistance to migrate remaining vulnerable addresses |
| Dec 2025 | A malicious browser extension version (v2.68) was published to the Chrome Web Store on 24 Dec 2025 using a Chrome Web Store API key leaked in the November 2025 “Sha1-Hulud” npm supply-chain incident. It executed unauthorised transactions until flagged on 25–26 Dec. | ~2,520 addresses drained; ~US$8.5 million traced to 17 attacker addresses (Trust Wallet figures) | Clean v2.69 rollback within days; public incident updates; voluntary reimbursement programme through verified support channels |
Two patterns in the record are factual and worth noting. First, both incidents involved the browser extension; Trust Wallet states the mobile app was unaffected in each case. Second, in both cases the company published post-mortems and reimbursed users — voluntarily, since no law required it. A voluntary reimbursement is a precedent, not a guarantee.
Where most losses actually occur: scams targeting users
The search phrase “Trust Wallet scams” is more common than questions about the software itself, and the loss data explains why. The National Anti-Scam Centre’s Targeting Scams Report recorded $2.18 billion in total reported Australian scam losses in 2025, with investment scams the largest category at $837.7 million — and crypto a preferred payment channel because transfers are irreversible. These scams exploit the user, not Trust Wallet’s code:
- Seed-phrase phishing. Emails, texts or pop-ups impersonating Trust Wallet “support” ask users to verify, migrate or re-validate their wallet by entering the 12-word recovery phrase. Trust Wallet states it never asks for the phrase, through any channel. Entering it on any website hands over the entire wallet. The same impersonation playbook appears in the CoinSpot scam texts circulating in Australia.
- Fake Trust Wallet apps and websites. Cloned apps on third-party stores, look-alike domains and paid search ads distribute modified wallets that capture phrases or generate attacker-controlled addresses. Trust Wallet publishes verification guidance: download only from the official site’s links to the Apple App Store or Google Play, and check the developer name.
- Token-approval drains. Connecting to a malicious dApp and signing an “approval” transaction can grant a contract open-ended rights to spend specific tokens. Drainer kits automate this. The in-app Security Scanner flags many known drainers, but new contracts appear faster than blocklists update.
- “Urgent security notice” campaigns. Fake breach alerts pressure users into “securing” funds by moving them to an attacker’s address or fake tool — a social-engineering pattern documented across wallet brands.
- Pre-loaded wallet bait. Recovery phrases deliberately leaked in comments or videos lead to wallets rigged so that anyone attempting to sweep the visible balance loses the gas funds they deposit.
A factual rule covers all five: the recovery phrase is never required by the genuine provider, and a transaction signature is an instruction the network will execute without appeal. Our guide to crypto scams in Australia covers reporting channels, including Scamwatch and ReportCyber.
What a hot wallet cannot protect against
| Threat | Trust Wallet (hot wallet) | Hardware wallet |
|---|---|---|
| Phone or browser malware reading keys | Keys encrypted but present on an online device | Keys never leave the offline device |
| Phishing site capturing a recovery phrase | User can type the phrase into any site | Same risk — the phrase is the universal weakness |
| Malicious transaction signed in-app | Scanner warns; signing still possible on-device | Transaction details verified on a separate physical screen |
| Compromised app update or extension | Demonstrated in December 2025 | Firmware signed by vendor; a compromised interface still cannot extract keys |
| Physical theft of an unlocked device | Passcode and biometrics are the remaining barrier | PIN-protected secure element, wipes after failed attempts |
| Loss of the recovery phrase | Funds unrecoverable | Funds unrecoverable |
The comparison shows a structural difference, not a verdict: a hardware device removes the online attack surface around stored keys, at the cost of price and convenience, while no device protects a recovery phrase that is shared. Specifications and Australian pricing for the main devices are in our hardware wallet comparison.
No safety net: the recourse position in Australia
Self-custody means the protections that apply elsewhere in finance do not apply here. The Financial Claims Scheme covers deposits at authorised deposit-taking institutions up to $250,000 per account holder; ASIC’s Moneysmart confirms crypto assets carry no equivalent protection. The Digital Assets Framework Act 2026 (Royal Assent 8 April 2026, commencing 9 April 2027) will require platforms that hold client assets to obtain an AFSL — but self-custody wallet software is not a platform holding client assets, so those obligations and the associated AFCA access do not attach to funds held in Trust Wallet. The broader regulatory position is covered in our guide to whether crypto is legal in Australia.
In practice: a drained or lost self-custody wallet has no chargeback, no ombudsman and no compensation scheme. Trust Wallet’s two voluntary reimbursements followed faults in its own software; losses caused by phishing or signed approvals fall on the user under the terms of service.
How layered custody works in practice
The widely documented approach among experienced holders separates balances by function rather than relying on a single wallet. A hot wallet such as Trust Wallet holds a small working balance for transactions and dApp use, capping the amount exposed to device-level compromise. Larger, long-term holdings sit on a hardware wallet whose keys never touch an internet-connected device — or, for traders, on an AUSTRAC-registered exchange, which carries its own distinct counterparty risks. The recovery phrase for each wallet is written on paper or steel, stored offline, and never photographed or typed into a website.
That is the verifiable picture as at June 2026: audited architecture, two browser-extension incidents with voluntary reimbursement, a scam landscape that targets users rather than code, and no recourse when self-custody fails. Whether that risk profile suits a given holder is a judgement each reader makes with the documented facts.
Common questions
Frequently asked questions
Has Trust Wallet ever been hacked?
Trust Wallet has two well-documented security incidents, both involving its browser extension rather than the mobile app. A 2022 address-generation vulnerability, disclosed in April 2023, led to roughly US$170,000 in user losses, which Trust Wallet reimbursed. In December 2025, a compromised extension version (v2.68) drained about 2,520 addresses of roughly US$8.5 million; Trust Wallet announced a voluntary reimbursement programme. The mobile app was not affected in either incident.
Does Trust Wallet ever ask for your secret recovery phrase?
No. Trust Wallet states it will never ask for a secret recovery phrase by email, text message, social media or through the app. Any message, website, pop-up or support agent requesting the 12-word phrase is fraudulent, because the phrase gives complete and irreversible control of the wallet. This is the single most common mechanism behind reported Trust Wallet scams.
Is Trust Wallet owned by Binance?
Not any longer. Binance acquired Trust Wallet in July 2018 as its first acquisition. Binance subsequently sold its shareholding, and in 2025 a Binance spokesperson confirmed Trust Wallet is a separate legal entity that is not part of the Binance group and operates independently. Trust Wallet remains non-custodial, so neither company ever held users' private keys.
Is money in Trust Wallet protected by the Australian government?
No. The Financial Claims Scheme covers deposits at authorised banks up to $250,000, but it does not apply to crypto assets. Self-custody wallet software also sits outside the licensing regime created by the Digital Assets Framework Act 2026, which covers platforms holding client assets. If funds in a self-custody wallet are stolen or the recovery phrase is lost, there is no statutory compensation scheme.
What happens if I lose my Trust Wallet recovery phrase?
The funds become permanently inaccessible if the device is also lost or the app is deleted. Trust Wallet does not store a copy of the phrase or private keys, cannot reset it, and its terms of service expressly disclaim liability for lost backup information. The recovery phrase is the only way to restore a self-custody wallet on a new device.
How is Trust Wallet different from a hardware wallet?
Trust Wallet stores private keys on an internet-connected phone or browser, so keys share an environment with apps, websites and malware. A hardware wallet keeps keys in a separate offline device and requires physical confirmation of every transaction. The trade-off is convenience versus isolation: hot wallets suit frequent, small transactions; hardware wallets remove the online attack surface for stored keys.
Sources & further reading
- Trust Wallet — A complete overview of Trust Wallet security
- Trust Wallet — Browser Extension v2.68 incident: community update
- Ledger Donjon — Trust Wallet browser extension vulnerability disclosure
- Trust Wallet — How to avoid fake Trust Wallet apps
- Trust Wallet — Terms of Service
- National Anti-Scam Centre — Targeting Scams Report 2025
- ASIC Moneysmart — Cryptocurrencies
- trustwallet/wallet-core — open-source repository