Trust Wallet Chrome Extension Breach Results in $7 Million Cryptocurrency Loss via Malicious Code
December 26, 2025 – By Ravie Lakshmanan
Trust Wallet, a popular multi-chain, non-custodial cryptocurrency wallet service used by approximately one million Chrome extension users, has suffered a significant security breach resulting in the loss of an estimated $7 million in digital assets. The incident was caused by a malicious code insertion affecting version 2.68 of the Trust Wallet extension on the Google Chrome browser.
Security Incident and User Advisory
In a statement posted on its official X account (formerly Twitter), Trust Wallet confirmed that the breach impacted version 2.68 of its Chrome extension and urged all users to promptly update to version 2.69. The company assured users that it is prioritizing support for those affected and is in the process of finalizing refunds.
“We’ve confirmed that approximately $7 million has been impacted and we will ensure all affected users are refunded,” the company stated. Users are being cautioned specifically against interacting with messages or links that do not originate from official Trust Wallet channels due to the proliferation of scams in the wake of the breach.
It is important to note that the breach only affects the Chrome extension version 2.68. Mobile users and those using other browser extensions remain unaffected.
Nature of the Attack and Malware Details
Security researchers from blockchain security firm SlowMist revealed that the compromised extension’s version 2.68 contained malicious code engineered to scan all wallets stored within the extension. This code triggered requests for each wallet’s mnemonic phrase—a crucial access key for cryptocurrency wallets.
“The encrypted mnemonic is then decrypted using the password or passkey entered during wallet unlock,” SlowMist explained. Once decrypted, this mnemonic phrase was sent covertly to a malicious server controlled by the attacker at the domain api.metrics-trustwallet[.]com.
Investigations found that this malicious server domain was registered on December 8, 2025, with the first data exfiltration requests commencing on December 21, 2025. Furthermore, the attacker employed an open-source analytics library called posthog-js, leveraging it as a channel to covertly harvest wallet user information under the guise of legitimate analytic traffic.
Stolen Assets and Money Laundering Efforts
Blockchain investigators have traced the theft of approximately $3 million in Bitcoin, $431 in Solana, and over $3 million in Ethereum through this exploit. Subsequently, the stolen funds were funneled through several centralized exchanges and cross-chain bridges in an attempt to launder and swap the assets.
According to blockchain investigator ZachXBT, the attack has affected hundreds of victims. Cybersecurity firm PeckShield reported that while roughly $2.8 million in stolen funds remain in hacker-controlled wallets across Bitcoin, Ethereum Virtual Machine (EVM) compatible chains, and Solana, the majority—over $4 million—has been moved to centralized exchanges including ChangeNOW ($3.3 million), FixedFloat ($340,000), and KuCoin ($447,000).
Source of the Breach: Supply Chain Compromise and Possible Insider Involvement
The breach’s origin was traced to malicious modifications within the internal Trust Wallet extension codebase itself, specifically targeting the analytics logic. SlowMist clarified that the attack was not executed by bundling a compromised third-party dependency but rather by direct tampering with the application’s source code. Legitimate analytics tools were weaponized to stealthily transmit sensitive data to the attacker’s server.
Trust Wallet’s CEO, Eowyn Chen, disclosed that the compromised extension version 2.68 was not released through their normal internal manual process. Instead, it appears that an attacker gained access to a leaked Chrome Web Store API key, which allowed them to push the malicious extension directly via the Chrome Web Store API. This unauthorized version passed Google’s review process and went live on December 24, 2025, at 12:32 p.m. UTC.
Chen further stated:
“Our current findings suggest it was most likely published externally through the Chrome Web Store API key, bypassing our standard release checks.”
Speculation on the attackers’ identity is ongoing. Changpeng Zhao, co-founder of Binance—the parent company of Trust Wallet—hinted the exploit might have involved an insider, although no conclusive evidence supporting this theory has been publicly released. Trust Wallet has also suggested that a nation-state actor possibility cannot be ruled out, given the sophistication of the attack and the potential prior compromise of developer devices or deployment permissions.
Response and Remediation Efforts
In the aftermath of the breach, Trust Wallet took immediate actions including suspending the malicious domain, expiring all related release API credentials, and initiating reimbursement procedures for victims.
Affected users have been instructed to fill out a compensation request form on the official support desk at trustwallet-support.freshdesk[.]com. The company requests details including contact information, country of residence, compromised wallet addresses, destination wallet addresses where funds were drained, and associated transaction hashes.
Trust Wallet has warned users to remain vigilant against scams exploiting this incident, including fake compensation forms distributed via Telegram and impersonated support channels. Users are strongly advised never to share their recovery phrases and to engage only with official Trust Wallet communication platforms.
Ongoing Investigation
Trust Wallet continues to investigate the breach’s full impact. CEO Eowyn Chen reaffirmed that the issue is isolated to Chrome extension version 2.68 users who accessed their wallets before December 26, 2025, 11 a.m. UTC.
The company is collaborating with security researchers and law enforcement to track the stolen funds and prevent future attacks. Trust Wallet emphasized its commitment to restoring user confidence and strengthening its security infrastructure.
For continuous updates and more coverage on cybersecurity-related incidents, follow The Hacker News on Google News, Twitter, and LinkedIn.
Important: Always verify official announcements through trusted channels and avoid sharing sensitive information such as mnemonic phrases or private keys under any circumstances.
The Hacker News remains committed to delivering the latest cybersecurity news and expert insights to keep you informed and secure.