Crypto news

24.06.2026
12:08

Buying BTC via Trust Wallet and MoonPay: coins vanished without a trace — incident analysis

A Reddit user under the name Smart-Rip5467 encountered a troubling situation that once again raises questions about the security of non-custodial solutions. After purchasing Bitcoin through the built-in MoonPay service in the Trust Wallet app, the coins did not arrive in his wallet but were sent to a completely unknown address. The amount is not critical — 0.00387670 BTC — but the precedent itself causes serious concern.

According to blockchain data, the transaction was recorded on June 19, 2026. By June 21, the entire amount had been moved to a second address. Notably, the blockchain explorer marked this operation as a "possible transfer to self." However, as I have repeatedly noted in my analysis, such labels are merely algorithmic assumptions, not proof. They can equally correctly represent either a legitimate movement of funds between one's own wallets or the activity of a compromised wallet or an attacker.

What is the real problem?

The main question troubling the user is: who actually owns these addresses? He claims he did not manually enter the recipient address. This is a critical point. In non-custodial wallets like Trust Wallet, the responsibility for controlling addresses lies entirely with the user. If the funds went "astray," two main scenarios are possible:

  • Compromise of the seed phrase or private key, giving an attacker access to manage the wallet.
  • A glitch or address substitution on the MoonPay integration side, which is unlikely but technically possible.

The Reddit community, particularly user Critical-Ad6184, suggested a clear verification process: restore the wallet from the backup phrase in an isolated, secure environment and check if the "lost" amount appears there. If not, the funds are beyond your control. Also, request confirmation of the payout address from MoonPay or Trust Wallet using the order number. And most importantly: never share your seed phrase, private key, or extended public key (xpub) with anyone, especially in blockchain explorers or support chats.

Conclusions and recommendations

This incident is not just an isolated case but a powerful reminder of the fundamental security principles in DeFi. Even the most popular wallets do not protect you from input errors or key compromise. My professional advice: always double-check the recipient address before confirming a transaction, use hardware wallets for large amounts, and store your seed phrase offline in a secure location. Blockchain technology does not forgive carelessness.