Trust Wallet Chrome Extension Compromised, $7 Million Drained from Users

Trust Wallet users woke up on Christmas Eve to find their crypto wallets emptied. By the time the Binance-owned wallet provider identified and pulled the malicious browser extension update, attackers had siphoned approximately $7 million across Bitcoin, Ethereum, and other cryptocurrencies from hundreds of victims.

The attack targeted version 2.68 of Trust Wallet's Chrome browser extension, published on December 24, 2025. Attackers used a leaked Chrome Web Store API key to bypass internal release protocols and push the poisoned update directly to users.

How the Attack Worked

The malicious update embedded credential-harvesting code into PostHog, an open-source analytics library already present in the extension. When users entered or imported their seed phrases, the compromised library transmitted the data to attacker-controlled infrastructure at api.metrics-trustwallet.com.

Domain registration records show the attackers set up their exfiltration infrastructure on December 8, 2025—over two weeks before the malicious extension went live. The first requests to the command server began on December 21, suggesting a testing phase before the full attack launched on Christmas Eve.

The stolen assets break down to roughly $3 million in Bitcoin and over $3 million in Ethereum, with smaller amounts in Solana and other tokens. Blockchain investigator ZachXBT traced approximately $4 million of the stolen funds to centralized exchanges including ChangeNOW, FixedFloat, and KuCoin, with around $2.8 million still sitting in the attacker's wallets.

Who's Behind It

Trust Wallet hasn't definitively attributed the attack, but the company indicated a "possibility" of nation-state involvement. Binance co-founder Changpeng Zhao offered a different theory, suggesting the exploit was "most likely" carried out by an insider—though he provided no supporting evidence.

The sophistication of the attack—particularly the weeks of preparation and the targeting of a legitimate analytics library—suggests a well-resourced threat actor rather than an opportunistic criminal. Supply chain attacks against cryptocurrency infrastructure have become increasingly common, with state-sponsored groups from North Korea accounting for billions in stolen crypto this year alone.

What Users Should Do

Trust Wallet released version 2.69 to address the compromise. But upgrading isn't enough for everyone.

The critical question: did you enter or import a seed phrase while running version 2.68? If yes, that seed phrase should be considered compromised. Users in this situation need to:

1. Create a completely new wallet with a fresh seed phrase
2. Transfer all assets from the compromised wallet to the new one
3. Abandon the old seed phrase entirely—it cannot be made safe again

Users who never entered seed phrases during the v2.68 window can simply upgrade to v2.69 and continue normally.

Mobile-only Trust Wallet users and those running other browser extension versions were not affected by this attack.

The Compensation Question

Changpeng Zhao stated that stolen funds will be reimbursed, though Trust Wallet hasn't published specific details about the compensation process or timeline. Given the complexity of verifying individual losses on the blockchain, affected users should document their losses thoroughly.

Trust Wallet has also warned of follow-on scams exploiting the breach. The company reported seeing fake "compensation" forms circulating on Telegram, along with impersonated support accounts attempting to harvest credentials from confused users. Any outreach claiming to offer refunds should be treated with extreme suspicion.

Why This Matters

Browser extension supply chain attacks hit a particularly vulnerable intersection of security and usability. Users reasonably expect that updates from official extension stores have been vetted. But the Chrome Web Store review process—like all automated review systems—can be bypassed when attackers obtain legitimate publishing credentials.

The Trust Wallet incident demonstrates how a single leaked API key can cascade into millions in losses. The attack also highlights the tension between cryptocurrency's "be your own bank" ethos and the reality that most users interact with their assets through third-party software that introduces counterparty risk.

For organizations holding significant crypto assets, this is another data point in favor of hardware wallets and multi-signature arrangements that don't rely on browser extension security.