Fake Trust Wallet on App Store: $19K Drained in Four Minutes

The App Store listing that wasn't real

August 2024. A holder in San Diego searches "Trust Wallet" on the Apple App Store. The top result has the green Trust Wallet shield, 4.8 stars, 8,000 reviews. He installs it, imports his existing seed phrase, and watches his $19,000 in BNB and BSC tokens drain within four minutes.

The listing was a clone with a one-character difference in the developer name — "Trust Wallet, Inc." (the real one) vs. "Trust-Wallet Inc." (the clone). Apple removed it nine days after it appeared.

Why even the App Store gets fooled

Apple's review process catches most fraud, but lookalike wallet apps slip through periodically. They are designed to pass review (the app appears to work normally for the reviewer) and to drain only when the user imports a real seed phrase with material balance. Once installed, the app uploads the seed to the operator's server, then proceeds as a normal wallet client until the operator gets around to draining.

The four verification steps before installing a wallet app

• Cross-check the developer name on the wallet's official site. Trust Wallet lists their App Store and Play Store links directly on trustwallet.com. Click through from the site, not the other way around.
• Check the review count and the review dates. A real wallet app has reviews going back years, with a steady drip. A clone has 8,000 reviews all dated within the last 60 days — bought in batches.
• Check the developer's other apps. The real Trust Wallet developer has only Trust Wallet. A clone developer often has 30 random utility apps published under the same name to look like a real company.
• Use the wallet on a fresh device first. Generate a new seed, fund it with $20, hold it for a day. If anything looks unusual, you have lost $20, not $20,000.

The seed-phrase rule

Never import a high-value seed phrase into a freshly installed app on any platform without first verifying the app over multiple sources. A seed phrase, once entered into a malicious app, is permanently compromised — even after you uninstall the app.

What I do

I keep two seed phrases — one "tier 1" with serious money, never enters any software wallet, only ever signs through hardware. One "tier 2" with under $500, used freely for testing new apps. The two never mix.