A devastating supply chain attack struck one of the cryptocurrency industry’s most widely used wallets on Christmas Eve 2025, as an unauthorized and malicious version of the Trust Wallet Browser Extension was published to the Chrome Web Store. The incident, which came to light on December 24, 2025, resulted in approximately $8.5 million in digital assets being siphoned from user wallets, sending shockwaves through the crypto community during what should have been a quiet holiday period.
The Exploit Mechanics
According to Trust Wallet’s own investigation, the attacker exploited a leaked Chrome Web Store API key to submit a malicious version of the browser extension — version 2.68 — entirely outside the company’s standard release process. The malicious update was published on December 24, 2025, at 12:32 UTC and successfully passed Google’s Chrome Web Store review, raising serious questions about the adequacy of automated extension vetting.
Once installed, the compromised extension contained code that allowed the attacker to access sensitive wallet data and execute unauthorized transactions. Users who opened the extension and logged in during the affected period — December 24 through December 26, 2025, before 11:00 UTC — had their seed phrases intercepted, giving the attacker full access to their funds across multiple blockchains.
On-chain analysis by cryptocurrency investigator ZachXBT traced the stolen funds across Ethereum, Bitcoin, and Solana networks. A single EVM wallet accumulated over 255 ETH, worth approximately $750,000 at the time, while the Bitcoin network saw more than 12 BTC drained through 66 individual transactions, totaling over $1 million in losses.
Affected Systems
The scope of the breach was significant: Trust Wallet identified 2,520 wallet addresses that were drained by the attackers, with assets traced to 17 primary wallet addresses controlled by the threat actor. The attack affected only Browser Extension version 2.68 users who opened and logged in during the affected window. Importantly, Trust Wallet mobile app users were not impacted, nor were users on other browser extension versions.
The attack vector — a supply chain compromise via a leaked API key — highlights a growing trend in cryptocurrency theft. Rather than targeting blockchain protocols directly, attackers increasingly focus on the software distribution layer, exploiting the trust users place in official update channels. With Bitcoin trading around $87,600 and Ethereum near $2,945 at the time of the attack, the stakes for wallet security have never been higher.
The Mitigation Strategy
Trust Wallet responded by reporting the malicious domain to its registrar and pushing a clean version 2.69 update to the Chrome Web Store. CEO Eowyn Chen publicly confirmed the incident and outlined the company’s response. Binance founder Changpeng Zhao stated that Trust Wallet would fully reimburse affected users through its Secure Asset Fund for Users (SAFU), providing some measure of relief to victims.
Users who may have been affected were urged to immediately transfer funds from any at-risk wallets to newly created wallets and submit reimbursement claims through Trust Wallet’s official support portal. The company emphasized that it would never ask for private keys, seed phrases, or passwords in the reimbursement process.
Lessons Learned
This incident serves as a stark reminder that supply chain attacks represent one of the most dangerous threats in the cryptocurrency ecosystem. Even sophisticated users who practice good key management can be compromised when the software they trust is tampered with at the distribution level. The fact that the malicious extension passed Google’s automated review process demonstrates that platform-level safeguards alone are insufficient.
The extended communication gap — users reported losses on December 24, but Trust Wallet did not publicly acknowledge the vulnerability until December 26 — also underscores the need for faster incident response protocols. In the cryptocurrency space, where assets can be moved irreversibly within minutes, every hour of delayed disclosure can mean millions in additional losses.
User Action Required
All Trust Wallet Browser Extension users should verify they are running version 2.69 or later. Anyone who used version 2.68 between December 24 and December 26, 2025, should immediately move funds to a new wallet and submit a reimbursement claim. The broader crypto community should treat this incident as a wake-up call to diversify wallet providers, enable additional security layers where possible, and maintain vigilance around software updates — even those delivered through official channelsryptocurrency markets. Always conduct your own research and consult with a qualified financial advisor before making investment decisions.
The gap between crypto and TradFi is narrowing fast
Mass adoption is happening incrementally — people just don’t notice
The pace of innovation in crypto continues to surprise me
The best projects are the ones quietly shipping during bear markets