Trust Wallet warns users to update Chrome extension after $7M security loss
December 26, 2025
Trust Wallet urged users to update its Chrome extension after a security incident caused about $7 million in losses.
Trust Wallet warned users to update its Google Chrome extension after a security incident that resulted in about $7 million in losses. The flaw affects version 2.68 of the multi-chain, non-custodial wallet, which has around one million users.
“We’ve confirmed that approximately $7M has been impacted and we will ensure all affected users are refunded. Supporting affected users is our top priority, and we are actively finalizing the process to refund the impacted users. We appreciate your patience and will share instructions on next steps soon.” reads a statement published by the company on X.
Trust Wallet advised users to upgrade to version 2.69 immediately to mitigate the issue.
Trust Wallet is a popular non-custodial crypto wallet that lets users store and manage digital assets across multiple blockchains via a mobile app and a Chrome extension for dApps.
Mobile users and other browser extensions are not affected.
Trust Wallet urges users to avoid messages outside its official channels.
Blockchain cybersecurity chain SlowMist said Trust Wallet Chrome extension version 2.68 contained malicious code that iterated through all stored wallets and prompted mnemonic phrase requests. The encrypted mnemonics were decrypted using the user’s password and sent to an attacker-controlled server, api.metrics-trustwallet[.]com. The domain was registered on December 8, 2025, with activity starting December 21. The attacker also used the open-source posthog-js analytics library to collect wallet user data.
SlowMist researchers suggest the attack may have been carried out by an APT group.
PeckShield researchers reported that threat actors stole over $6 million in crypto, with most funds sent to exchanges and about $2.8 million still held in attacker wallets.
BleepingComputer reported that during the security incident, attackers also launched a parallel phishing campaign exploiting user panic. Fake X accounts directed victims to fix-trustwallet[.]com, a site mimicking Trust Wallet and claiming to fix a security flaw. The site prompted users to enter wallet recovery seed phrases, enabling attackers to drain funds. WHOIS data shows the domain was recently registered with the same registrar as metrics-trustwallet[.]com, suggesting a possible link to the same threat actors.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Trust Wallet)