A hacker group from China posing as a cybersecurity firm has allegedly stolen 7 million dollars via wallet supply‑chain attacks, targeting Trust Wallet and other clients before an internal dispute triggered a whistleblower leak.
Summary
- Operating under Wuhan Anshun Technology, the group presented itself as a security outfit while allegedly using Electron apps, browser plugins, and remote‑control tools to exfiltrate mnemonics and drain wallets across Ethereum, BNB Chain, Arbitrum and more.
- A disgruntled member claims the crew stole about 7 million dollars across 37 token types, then leaked internal details after a fight over profit splits and unpaid “severance,” saying they now plan to turn themselves in.
- Even as authorities stay quiet, the episode echoes recent supply‑chain and extension incidents involving Trust Wallet and others, underscoring that every update, plugin, and wrapper around self‑custody wallets is part of the real attack surface.
A Chinese hacker group posing as a cybersecurity firm has been exposed after an internal dispute led members to leak details of a multimillion‑dollar crypto theft operation. According to market reports, the group claims to have stolen around 7 million dollars in digital assets through supply chain attacks, with targets including popular wallet provider Trust Wallet.
Operating under the corporate front Wuhan Anshun Technology, the group presented itself publicly as a security company focused on vulnerability research, network offense-and-defense exercises, and security services. Internally, however, members were allegedly conducting “gray market” activity, systematically stealing mnemonic phrases and raiding user wallets across multiple chains. The whistleblower says the team built automated tooling to bulk-scan mnemonic phrase assets and to identify high‑value portfolios across Ethereum, BNB Chain, Arbitrum and other networks.
Per the leaked account, the group exploited supply chain vulnerabilities in Electron-based clients and browser plugins, combined with reverse engineering and remote-control programs, to exfiltrate wallet data and drain funds. The operation allegedly touched 37 different token types across several blockchains, with funds laundered via splitting and transfers to obscure the trail. The immediate trigger for the exposure was an internal fight over profit distribution and unpaid “severance” to one of the operators.
The whistleblower claims they clashed with the team leader over what they saw as unfair profit splits, then decided to publicly dump evidence after promised compensation was not delivered, stating they intend to turn themselves in to law enforcement. So far, the allegations have not been officially confirmed, and authorities have not publicly detailed any investigation progress. Industry commentators note that, confirmed or not, the episode again underscores the structural attack surface in wallet supply chains, plugin ecosystems, and desktop clients—especially for high‑value users who treat self‑custody software as “set and forget.”
For retail and institutional users, the lesson is blunt: security risk is not just in private key handling, but in every update, extension, and client wrapper sitting between you and your keys. In a market where attackers are willing to build fake “security companies” as covers, rigorous supply‑chain auditing, minimal plugin use, and strict device‑level hygiene are no longer best practices—they are baseline survival requirements.
