A hacker group operating out of Wuhan, China just got exposed — and ironically, it was their own greed that did them in. A dispute over profit-sharing got so bad that a disgruntled team member leaked internal documents, chat logs, and technical manuals to the media. Chaos ensued.
The group, operating under corporate cover names like Wuhan Anshun Technology, Wuhan Anfen, and Wuhan Anxun, had been running a legitimate-looking security business while quietly stealing crypto on the side.
Their operation was sophisticated. They exploited weaknesses in Electron-based wallet clients, reverse-engineered browser plugins to extract security credentials, and installed remote control software to intercept wallet data in real time. The crown jewel of their toolkit was automated bulk-scanning software built specifically to harvest mnemonic phrases — basically the master keys to any crypto wallet. Once users accessed their wallet extensions, malicious code quietly captured their seed phrases. Gone.
Trust Wallet was their primary target. Of the 2,520 compromised wallet addresses identified, Trust Wallet took the hardest hit. The group went after 37 different token types across Ethereum, BNB Chain, and Arbitrum. SlowMist, a blockchain security firm, estimated early losses at 33 BTC plus roughly $3 million across Ethereum and Layer-2 networks. Trust Wallet’s own assessment put total impacted assets at $8.5 million. Experts warned the real number could be even higher.
Moving the money was equally calculated. Stolen funds were split into smaller chunks, shuffled through multiple transactions, and distributed across different blockchain networks. Classic laundering playbook. Seventeen attacker-controlled addresses were eventually traced, but fragmentation made full recovery painfully complicated.
The group had a clear internal structure — separate teams handling target research, tool development, and asset laundering. This wasn’t some bedroom operation. These people had manuals. Documented procedures. An HR problem, apparently, too. The whistleblower also announced plans to surrender to law enforcement authorities following the fallout. The group’s fake corporate facade allowed them to operate as a legitimate cybersecurity firm while conducting theft operations underneath.
Initial loss estimates hovered around $7 million before climbing higher. The full scope remains murky. Security experts consistently emphasize that storing seed phrases offline is one of the most effective defenses against this type of supply chain attack. What’s clear is that a well-organized criminal enterprise with a fake corporate face ran one of the more alarming crypto supply chain attacks in recent memory. Until they couldn’t split the money without fighting about it.
