The cryptocurrency security landscape suffered a significant jolt in December 2025 when Trust Wallet, one of the most widely used non-custodial wallet platforms with approximately one million Chrome extension users, disclosed a critical supply chain compromise that resulted in the theft of roughly $7 million in digital assets. The breach, which targeted version 2.68 of the browser extension, represents a new paradigm in wallet security threats — one where the attack originates not from external phishing or user error, but from within the software supply chain itself.
The Exploit Mechanics
According to a detailed analysis by blockchain security firm SlowMist, the compromised version of the Trust Wallet Chrome extension contained malicious code designed to systematically harvest wallet credentials. The attack vector was sophisticated yet elegant in its simplicity: the malicious code iterated through every wallet stored in the extension and triggered a mnemonic phrase request for each one. Once the user entered their password to unlock the wallet, the encrypted mnemonic was decrypted and silently transmitted to an attacker-controlled server at api.metrics-trustwallet[.]com.
What makes this attack particularly concerning is the method of data exfiltration. The attacker leveraged PostHog-js, a legitimate open-source analytics library already integrated into the extension, to channel stolen wallet data disguised as normal analytics traffic. This meant the malicious data transfers blended in with routine application telemetry, making detection significantly more difficult for both users and automated security monitoring systems.
The domain used for exfiltration was registered on December 8, 2025, and the first data request to the attacker’s server was logged on December 21, 2025 — giving the attacker a narrow but devastating window of operation. On-chain analysis by PeckShield revealed that stolen funds included approximately $3 million in Bitcoin, over $3 million in Ethereum, and $431 in Solana tokens.
Affected Systems
The breach was confined exclusively to version 2.68 of the Trust Wallet Chrome browser extension. Mobile application users across iOS and Android were not affected, nor were users of other browser extension versions. Trust Wallet CEO Eowyn Chen confirmed that the malicious version was not released through the company’s standard internal manual process, suggesting the compromise occurred at the distribution level.
The stolen funds were rapidly moved through centralized exchanges and cross-chain bridges in an apparent laundering operation. PeckShield tracked approximately $3.3 million flowing to ChangeNOW, $340,000 to FixedFloat, and $447,000 to KuCoin, with roughly $2.8 million remaining in the attacker’s wallets at the time of analysis. Blockchain investigator ZachXBT reported that hundreds of users were affected by the incident.
The Mitigation Strategy
Trust Wallet responded with a multi-pronged approach. The company immediately urged all Chrome extension users to update to version 2.69, which removed the malicious code. A compensation fund was established, with the company committing to refund all $7 million in affected user funds. Users were directed to submit claims through the official support desk, providing wallet addresses, transaction hashes, and drain addresses for verification.
Changpeng Zhao, co-founder of Binance (which owns Trust Wallet), publicly suggested the exploit was most likely carried out by an insider, though no formal evidence was presented. Trust Wallet itself raised the possibility of nation-state involvement, noting that attackers may have gained access to developer devices or deployment credentials prior to December 8. The company also warned of secondary scams targeting victims through fake compensation forms, Telegram ads, and impersonated support accounts.
Lessons Learned
The Trust Wallet incident underscores the growing threat of supply chain attacks in the crypto ecosystem. Unlike traditional phishing attacks that rely on user mistakes, this breach compromised the software itself before it reached the user. The attack demonstrated that even well-funded, reputable wallet providers are vulnerable to insider threats and code injection at the build and distribution level.
Key takeaways include the critical importance of code integrity verification at every stage of the software development lifecycle, from commit to deployment. Browser extension users should regularly verify the version numbers of their wallet software and update promptly when security patches are released. Hardware wallets, which store private keys offline and are immune to browser-based attacks, remain the gold standard for securing significant cryptocurrency holdings.
User Action Required
If you used Trust Wallet’s Chrome extension version 2.68 and logged in before December 26, 2025, at 11 a.m. UTC, you should immediately move all remaining funds to a fresh wallet generated on a trusted version of the software. Verify you are running version 2.69 or later before creating new wallets. If you suffered losses, submit a claim through the official Trust Wallet support portal — and be vigilant against phishing attempts posing as compensation forms. With Bitcoin trading at $88,344 and Ethereum at $2,977 on December 20, 2025, even a brief security lapse can result in devastating financial losses.
This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with qualified professionals before making security decisions.
The cost of a security breach always exceeds the cost of prevention
The amount of DeFi exploits is still way too high
Bridge security is still the weakest link in the ecosystem
Multi-sig wallets should be the default for everyone in crypto