A sophisticated supply chain attack targeting Trust Wallet’s Chrome browser extension has resulted in the theft of approximately $7 million in cryptocurrency, sending shockwaves through the non-custodial wallet community and raising urgent questions about the security of browser-based crypto extensions. The breach, which affected version 2.68 of the popular extension used by roughly one million people, represents one of the most concerning supply chain compromises in the wallet ecosystem to date.
The Exploit Mechanics
According to a detailed analysis by blockchain security firm SlowMist, the attack was remarkably elegant in its execution. Version 2.68 of the Trust Wallet Chrome extension introduced malicious code designed to systematically harvest wallet credentials. The code iterated through every wallet stored in the extension and triggered a mnemonic phrase request for each one. When the user entered their password or passkey to unlock the wallet, the encrypted mnemonic was decrypted and subsequently transmitted to an attacker-controlled server at the domain api.metrics-trustwallet[.]com.
Further investigation revealed that the attacker leveraged posthog-js, an open-source full-chain analytics library, to facilitate the data exfiltration. The malicious domain was registered on December 8, 2025, with the first API requests commencing on December 21, giving the attacker roughly a week of active data harvesting before the breach was publicly disclosed.
Blockchain investigator ZachXBT reported that the incident claimed hundreds of victims. The stolen assets included approximately $3 million in Bitcoin, $3 million in Ethereum, and smaller amounts in Solana. PeckShield traced the laundering path, noting that approximately $2.8 million remained in the attacker’s wallets while the bulk—over $4 million—had been routed through centralized exchanges including ChangeNOW, FixedFloat, and KuCoin.
Affected Systems
The breach was confined exclusively to Trust Wallet’s Chrome browser extension version 2.68. Mobile wallet users and those running other extension versions were not impacted. Trust Wallet clarified that the attack vector was not a compromised third-party dependency but rather a malicious modification within the internal extension codebase, specifically targeting the analytics logic. This distinction is critical—it suggests the attacker gained access to Trust Wallet’s internal development infrastructure, either through compromised developer credentials, hijacked GitHub secrets, or a compromised Chrome Web Store API key.
Trust Wallet responded by urging all Chrome extension users to immediately update to version 2.69. The company committed to refunding all affected users, stating that approximately $7 million had been impacted and that the reimbursement process was being actively finalized.
The Mitigation Strategy
For users who may have been exposed, the following steps are essential. First, update the extension to version 2.69 or later immediately. Second, if you used version 2.68 at any point, assume your mnemonic phrase has been compromised and migrate your funds to a freshly generated wallet. Third, revoke all token approvals and spending permissions associated with the compromised wallet addresses. Fourth, enable additional security layers including hardware wallet integration for significant holdings.
At the protocol level, this incident underscores the need for deterministic build processes and reproducible builds for browser extensions. If Trust Wallet had employed a system where users could independently verify that the distributed extension binary matched the public source code, the malicious injection would have been detectable before deployment.
Lessons Learned
The Trust Wallet breach reinforces several uncomfortable truths about the current state of wallet security. Non-custodial does not mean risk-free. The custodial threat has simply shifted from a centralized exchange to the software supply chain itself. With Bitcoin trading around $88,430 and Ethereum at $2,971 on the day of the breach’s disclosure, the financial stakes of even a brief credential exposure window are enormous.
Supply chain attacks targeting crypto infrastructure are escalating in both frequency and sophistication. The Trust Wallet incident follows a broader pattern observed throughout December 2025, which saw $76.2 million lost across 26 crypto security incidents according to PeckShield data. While this represented a 60% decline from November’s $194.2 million, the diversity of attack vectors—ranging from address poisoning scams to protocol exploits—indicates that the threat landscape is broadening rather than narrowing.
User Action Required
If you used Trust Wallet’s Chrome extension between December 21 and December 28, 2025, take immediate action. Update to the latest version, migrate your assets to a new wallet generated on a trusted device, and monitor your addresses for unauthorized transactions. Report any losses to Trust Wallet’s official support channels—never through unsolicited messages. As the company itself warned, refrain from interacting with any communications that do not originate from verified official channels, as scammers frequently exploit breach announcements to launch secondary phishing campaigns.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with qualified professionals before making security decisions regarding your cryptocurrency holdings.
Interesting perspective — I hadn’t considered that angle before
Education is still the biggest barrier to mainstream adoption
Mass adoption is happening incrementally — people just don’t notice