Crypto wallet provider Trust Wallet ignited a firestorm on April 16, 2024, after posting a warning about an alleged zero-day iMessage exploit being sold on the dark web — a claim that cybersecurity experts quickly dismissed as likely misinformation.
The Exploit Mechanics
Trust Wallet, which is owned by cryptocurrency exchange Binance, posted on its official X (formerly Twitter) account that it had “credible intel regarding a high-risk zero-day exploit targeting iMessage on the Dark Web.” The company claimed the exploit could infiltrate iPhones without requiring the target to click any link, describing it as a zero-click remote code execution (RCE) vulnerability targeting the latest version of iOS.
The tweet, which was viewed over 3.6 million times, urged all iPhone users to disable iMessage immediately “until Apple patches this.” According to Trust Wallet CEO Eowyn Chen, the intelligence came from an advertisement on a dark web marketplace called CodeBreach Lab, where an anonymous seller was offering the alleged iMessage exploit for $2 million in Bitcoin (BTC).
The advertised exploit claimed to offer zero-click RCE capabilities — the most powerful class of mobile exploits, allowing attackers to take full remote control of a device without any user interaction. Such exploits, when genuine, are exceptionally rare and valuable. Companies that acquire and resell zero-day vulnerabilities are currently offering between $3 million and $5 million for verified zero-click iOS exploits, which underscores how difficult they are to develop.
Affected Systems
The claimed vulnerability targets Apple’s iMessage platform on iOS devices. While Trust Wallet specifically framed the threat around crypto users — given that wallet apps store private keys and digital assets on mobile devices — the theoretical scope of a zero-click iMessage RCE would extend to all iPhone users globally.
Apple spokesperson Scott Radcliffe declined to comment when reached by media outlets. Notably, no independent security researcher or cybersecurity firm corroborated the existence of the claimed exploit. Trust Wallet’s Chief Information Security Officer Eve Lam reiterated the company’s advice to users but declined to provide evidence of an actual threat when contacted by TechCrunch.
Bitcoin traded at approximately $63,800 at the time of the warning, and the broader crypto market had been experiencing heightened sensitivity around security incidents following several high-profile exchange breaches in early 2024.
The Mitigation Strategy
Cybersecurity professionals weighed in quickly, with many characterizing Trust Wallet’s warning as FUD — fear, uncertainty, and doubt. The consensus among experts was that the dark web advertisement was likely a scam, and that Trust Wallet had amplified unverified claims from an anonymous seller without proper due diligence.
For users genuinely concerned about mobile security, cybersecurity experts recommend a more measured approach than disabling iMessage entirely. Apple’s Lockdown Mode, introduced in 2022, provides enhanced protection by disabling certain device features that could be exploited. This is particularly relevant for high-risk users such as journalists, activists, and individuals managing significant crypto holdings.
Additional security measures include keeping iOS updated to the latest version, enabling two-factor authentication on all crypto-related accounts, using hardware wallets for storing large amounts of cryptocurrency, and avoiding clicking links from unknown senders across all messaging platforms.
Lessons Learned
The incident highlights the delicate balance between responsible disclosure and alarmist behavior in the crypto industry. Trust Wallet doubled down on its decision to go public, stating that it “actively communicates any potential threats and risks to the community.” However, security researchers pointed out that sharing unverified dark web advertisements as credible threats can erode trust and create unnecessary panic.
The episode serves as a reminder that not every dark web claim represents a genuine threat. The market for zero-day exploits is rife with scams, where sellers frequently exaggerate or fabricate capabilities to extract payments from unsuspecting buyers. Responsible security communication requires verifying threats through multiple independent sources before issuing public warnings — especially when those warnings come from companies managing millions of user wallets.
User Action Required
For crypto users concerned about mobile security, the recommended actions are straightforward: enable Lockdown Mode if you are a high-risk user, keep your operating system updated, use a hardware wallet for significant holdings, and exercise skepticism toward alarming social media posts — even from trusted wallet providers. Verify security claims through independent cybersecurity sources before taking drastic action such as disabling core device features.
Disclaimer: This article is for informational purposes only and does not constitute security advice. Always consult with qualified cybersecurity professionals regarding your specific security needs.
trust wallet with 3.6M views on that tweet and it turned out to be nothing. the damage was already done tho, how many people actually saw the followup
cold_boot hits the key point. 3.6M views on the FUD tweet and maybe 100K saw the retraction. the asymmetry of misinformation in crypto is brutal
a $2M exploit on CodeBreach Lab that nobody in infosec could verify. yeah thats called FUD
2M USD in btc for an exploit nobody could verify on a marketplace nobody heard of. the whole thing screamed fabricated from day one
Tomi is right, CodeBreach Lab was never independently verified. the whole thing felt like a marketing stunt that backfired
Eowyn Chen pushing this from an official company account with zero technical verification is wild. even a single call to any iOS security researcher would have killed this
disabling imessage because a wallet company said so, peak 2024 crypto security advice
a wallet company giving security advice about apples messaging platform. the confidence with zero expertise