A sophisticated supply-chain attack on the Trust Wallet Chrome browser extension has resulted in the theft of approximately $7 million in cryptocurrency, sending shockwaves through the non-custodial wallet community and raising urgent questions about browser extension security in the broader crypto ecosystem.
TL;DR
- Trust Wallet Chrome extension version 2.68 contained malicious code that drained approximately $7 million from user wallets
- The attacker used a leaked Chrome Web Store API key to publish the trojanized update, bypassing internal release checks
- Malicious code harvested mnemonic phrases via a hijacked PostHog analytics library and sent them to an attacker-controlled server
- Approximately 2,596 wallet addresses were affected, with stolen funds laundered through centralized exchanges
- Trust Wallet has committed to refunding all affected users and has suspended the malicious domain
How the Attack Unfolded
The breach came to light in late December 2025 when blockchain security firms SlowMist and PeckShield began tracing suspicious outflows from Trust Wallet Chrome extension users. According to SlowMist’s analysis, version 2.68 of the extension introduced malicious code designed to iterate through all wallets stored in the extension and trigger a mnemonic phrase request for each one.
Once a user unlocked their wallet by entering their password, the encrypted mnemonic was decrypted and then transmitted to an attacker-controlled server at api.metrics-trustwallet[.]com. The domain was registered on December 8, 2025, with the first data exfiltration requests commencing on December 21, 2025.
The attacker leveraged posthog-js, a legitimate open-source full-chain analytics library, as the data exfiltration channel. By redirecting analytic traffic to their own server, the malicious code operated under the guise of normal telemetry data, making detection significantly more difficult for both users and automated security scanning tools.
Inside the Supply Chain Compromise
Trust Wallet CEO Eowyn Chen confirmed that the malicious extension v2.68 was not released through the company’s internal manual process. Instead, the attacker used a leaked Chrome Web Store API key to submit the malicious version directly, which then passed Google’s Chrome Web Store review and was published on December 24, 2025, at 12:32 p.m. UTC.
This detail is particularly alarming because it indicates the attacker had access to internal deployment credentials, not just the ability to compromise a third-party dependency. SlowMist confirmed that the malicious code was a direct modification of Trust Wallet’s own source code within the analytics logic, rather than an injected npm package or compromised third-party library.
Binance co-founder Changpeng Zhao (CZ) hinted that the exploit was “most likely” carried out by an insider, though no further evidence was provided. The possibility of nation-state involvement has also been raised, given the sophistication of the attack vector and the access required to obtain deployment permissions.
Scale of the Damage
Blockchain investigator ZachXBT reported that the incident claimed hundreds of victims. The digital assets drained include approximately $3 million in Bitcoin, $3 million in Ethereum, and $431 in Solana-based tokens. At the time of the breach, Bitcoin was trading around $88,490 and Ethereum near $3,006.
PeckShield traced the stolen funds through centralized exchanges and cross-chain bridges used for laundering. Approximately $3.3 million was sent to ChangeNOW, $340,000 to FixedFloat, and $447,000 to KuCoin. Around $2.8 million of the stolen funds initially remained in the attacker’s wallets across Bitcoin, EVM, and Solana networks before being dispersed.
Trust Wallet has since confirmed that 2,596 wallet addresses were affected. The company received approximately 5,000 claims for reimbursement, indicating a significant number of false or duplicate submissions from opportunists attempting to access victims’ reimbursements.
Response and Remediation
Trust Wallet responded by urging all Chrome extension users to update to version 2.69 immediately. The company emphasized that mobile-only users and all other browser extension versions were not affected by the breach.
Following the discovery, the company suspended the malicious domain, expired all release API keys, and began processing reimbursements for affected victims. Users were asked to submit claims through the official support desk, providing wallet addresses, transaction hashes, and other verification details.
The company also warned of secondary scams exploiting the situation, including fake Telegram compensation forms, impersonated support accounts, and phishing direct messages targeting already-victimized users.
Why This Matters
The Trust Wallet breach represents a new paradigm in crypto wallet attacks: rather than exploiting smart contract vulnerabilities or tricking users into signing malicious transactions, the attacker compromised the wallet software itself at the distribution level. By weaponizing a leaked API key to push a trojanized extension update through the official Chrome Web Store, the attacker bypassed both Trust Wallet’s internal security controls and Google’s review process.
This incident underscores a critical vulnerability in the browser extension ecosystem that many crypto users rely on daily. With approximately one million users of the Trust Wallet Chrome extension, the potential impact could have been far worse had the malicious code not been detected relatively quickly. The attack also highlights the growing sophistication of threat actors in the cryptocurrency space, who are increasingly targeting infrastructure and supply chains rather than individual users.
For everyday crypto users, this breach reinforces the importance of hardware wallets for storing significant holdings, verifying extension updates before interacting with them, and maintaining vigilance against secondary scams that inevitably follow major security incidents. As the crypto industry continues to mature, the security of wallet distribution channels must receive the same level of scrutiny as smart contract code.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always verify information through official channels and conduct your own research before making decisions about your cryptocurrency holdings.
Multi-sig wallets should be the default for everyone in crypto
Real-time monitoring tools are getting better at catching exploits early
Bug bounties are the most cost-effective security investment
hijacking PostHog analytics to exfiltrate seed phrases is next level. the telemetry channel is the last place most security teams look
ext_audit_ PostHog was trusted analytics infrastructure used by thousands of apps. weaponizing it to harvest mnemonics is genuinely terrifying
posthog_nightmare every analytics SDK is a potential attack vector now. PostHog, Sentry, Mixpanel. if your wallet extension phones home to ANY third party you have a supply chain risk
posthog_refugee_ every analytics SDK is a risk. wallets should ship with zero third party dependencies. if you need telemetry pipe it through your own backend
telemetry channels being the attack vector should make every wallet dev reconsider their analytics stack. PostHog was trusted infrastructure and it got weaponized
The amount of DeFi exploits is still way too high
Bridge security is still the weakest link in the ecosystem
2,596 addresses from a leaked Chrome Web Store API key. Google still has no 2FA requirement for publishing extensions to the store. unreal
Bilal H. Chrome Web Store security is a joke. one API key and you can push malware to 100k users. google needs mandatory 2FA for devs yesterday
2596 addresses affected across ETH BTC and SOL. Trust committing to full refunds is good but the reputational damage is done
2596 addresses is way more than initial estimates. the refund promise is fine but how do you even make users whole when their seed phrases are compromised? you cant just issue new wallets
shiro_404 2596 addresses and they promised full refunds. but how do you undo a compromised seed phrase? you issue new wallets and hope
shiro_404 exactly. once a mnemonic is exfiltrated the funds are gone before you even notice. Trust refunding $7M is nice but the addresses are permanently burned