Trust Wallet Chrome Extension Breach Exposes $7 Million in User Funds Through Malicious Update

A sophisticated supply-chain attack on the Trust Wallet Chrome browser extension has resulted in the theft of approximately $7 million in cryptocurrency, sending shockwaves through the non-custodial wallet community and raising urgent questions about browser extension security in the broader crypto ecosystem.

TL;DR

• Trust Wallet Chrome extension version 2.68 contained malicious code that drained approximately $7 million from user wallets
• The attacker used a leaked Chrome Web Store API key to publish the trojanized update, bypassing internal release checks
• Malicious code harvested mnemonic phrases via a hijacked PostHog analytics library and sent them to an attacker-controlled server
• Approximately 2,596 wallet addresses were affected, with stolen funds laundered through centralized exchanges
• Trust Wallet has committed to refunding all affected users and has suspended the malicious domain

How the Attack Unfolded

The breach came to light in late December 2025 when blockchain security firms SlowMist and PeckShield began tracing suspicious outflows from Trust Wallet Chrome extension users. According to SlowMist’s analysis, version 2.68 of the extension introduced malicious code designed to iterate through all wallets stored in the extension and trigger a mnemonic phrase request for each one.

Once a user unlocked their wallet by entering their password, the encrypted mnemonic was decrypted and then transmitted to an attacker-controlled server at api.metrics-trustwallet[.]com. The domain was registered on December 8, 2025, with the first data exfiltration requests commencing on December 21, 2025.

The attacker leveraged posthog-js, a legitimate open-source full-chain analytics library, as the data exfiltration channel. By redirecting analytic traffic to their own server, the malicious code operated under the guise of normal telemetry data, making detection significantly more difficult for both users and automated security scanning tools.

Inside the Supply Chain Compromise

Trust Wallet CEO Eowyn Chen confirmed that the malicious extension v2.68 was not released through the company’s internal manual process. Instead, the attacker used a leaked Chrome Web Store API key to submit the malicious version directly, which then passed Google’s Chrome Web Store review and was published on December 24, 2025, at 12:32 p.m. UTC.

This detail is particularly alarming because it indicates the attacker had access to internal deployment credentials, not just the ability to compromise a third-party dependency. SlowMist confirmed that the malicious code was a direct modification of Trust Wallet’s own source code within the analytics logic, rather than an injected npm package or compromised third-party library.

Binance co-founder Changpeng Zhao (CZ) hinted that the exploit was “most likely” carried out by an insider, though no further evidence was provided. The possibility of nation-state involvement has also been raised, given the sophistication of the attack vector and the access required to obtain deployment permissions.

Scale of the Damage

Blockchain investigator ZachXBT reported that the incident claimed hundreds of victims. The digital assets drained include approximately $3 million in Bitcoin, $3 million in Ethereum, and $431 in Solana-based tokens. At the time of the breach, Bitcoin was trading around $88,490 and Ethereum near $3,006.

PeckShield traced the stolen funds through centralized exchanges and cross-chain bridges used for laundering. Approximately $3.3 million was sent to ChangeNOW, $340,000 to FixedFloat, and $447,000 to KuCoin. Around $2.8 million of the stolen funds initially remained in the attacker’s wallets across Bitcoin, EVM, and Solana networks before being dispersed.

Trust Wallet has since confirmed that 2,596 wallet addresses were affected. The company received approximately 5,000 claims for reimbursement, indicating a significant number of false or duplicate submissions from opportunists attempting to access victims’ reimbursements.

Response and Remediation

Trust Wallet responded by urging all Chrome extension users to update to version 2.69 immediately. The company emphasized that mobile-only users and all other browser extension versions were not affected by the breach.

Following the discovery, the company suspended the malicious domain, expired all release API keys, and began processing reimbursements for affected victims. Users were asked to submit claims through the official support desk, providing wallet addresses, transaction hashes, and other verification details.

The company also warned of secondary scams exploiting the situation, including fake Telegram compensation forms, impersonated support accounts, and phishing direct messages targeting already-victimized users.

Why This Matters

The Trust Wallet breach represents a new paradigm in crypto wallet attacks: rather than exploiting smart contract vulnerabilities or tricking users into signing malicious transactions, the attacker compromised the wallet software itself at the distribution level. By weaponizing a leaked API key to push a trojanized extension update through the official Chrome Web Store, the attacker bypassed both Trust Wallet’s internal security controls and Google’s review process.

This incident underscores a critical vulnerability in the browser extension ecosystem that many crypto users rely on daily. With approximately one million users of the Trust Wallet Chrome extension, the potential impact could have been far worse had the malicious code not been detected relatively quickly. The attack also highlights the growing sophistication of threat actors in the cryptocurrency space, who are increasingly targeting infrastructure and supply chains rather than individual users.

For everyday crypto users, this breach reinforces the importance of hardware wallets for storing significant holdings, verifying extension updates before interacting with them, and maintaining vigilance against secondary scams that inevitably follow major security incidents. As the crypto industry continues to mature, the security of wallet distribution channels must receive the same level of scrutiny as smart contract code.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always verify information through official channels and conduct your own research before making decisions about your cryptocurrency holdings.