On Christmas Day 2025, while the cryptocurrency community celebrated the holidays, one of the most sophisticated supply chain attacks in the industry’s history was unfolding in real time. Trust Wallet’s Chrome extension version 2.68 had been silently weaponized, turning a trusted self-custody tool into a seed phrase harvesting machine that ultimately drained approximately $8.5 million from unsuspecting users across multiple blockchains.
The Exploit Mechanics
The attack vector was deceptively elegant. An attacker compromised Trust Wallet’s development infrastructure by stealing an API key used in the project’s standard release process. This allowed the threat actor to inject a malicious backdoor directly into the Chrome extension before it was published to the Chrome Web Store as version 2.68. Since the update came through the official channel, users had no reason to suspect foul play.
Once installed, the backdoor operated through the wallet’s unlock flow—both biometric and password-based authentication pathways. When a user unlocked their wallet, the malicious code traversed all stored wallets, extracted decrypted seed phrases, and cleverly disguised them within what appeared to be routine analytics data. The stolen seed phrases were packed into a variable deceptively named errorMessage, then embedded within analytics event objects.
The exfiltration channel was equally insidious. The attacker had deliberately introduced a PostHog analytics infrastructure into v2.68 specifically for data transmission. Seed phrases, masquerading as error reports, were routed through this legitimate analytics service to an attacker-controlled endpoint. This meant the data transfers appeared normal to any network monitoring tools, blending seamlessly with expected application telemetry.
Affected Systems
The breach exclusively affected users of the Trust Wallet Browser Extension version 2.68 on Chrome. Mobile-only users and all other browser extension versions remained unaffected. However, the impact was severe for those exposed. Bitcoin was trading at approximately $87,235 and Ethereum at $2,904 at the time, meaning even modest wallet balances translated to significant losses.
Stolen funds were drained across multiple chains and systematically routed to non-KYC exchanges for laundering. The total losses climbed to approximately $8.5 million in various cryptocurrencies including Bitcoin, Ethereum, and BNB. Each wallet that had been unlocked using the compromised v2.68 extension had its seed phrase fully exposed, giving the attacker complete and irreversible access to all associated funds.
The timing was no accident. Christmas Day represented maximum user distraction, minimal security team staffing, and reduced availability of incident response personnel. It was the perfect conditions for a supply chain attack to propagate and generate losses before detection.
The Mitigation Strategy
Trust Wallet responded within hours. On December 25, the team acknowledged the security incident and urged all v2.68 users to immediately disable the extension and upgrade to version 2.69, which removed the malicious code. They posted clear instructions via their official X account, explicitly noting that mobile-only users were not impacted.
Binance founder Changpeng Zhao publicly addressed the incident, stating that approximately $7 million was affected and that Trust Wallet would cover all user losses. He reassured the community that “user funds are SAFU” and expressed appreciation for user understanding during the investigation into how the attacker was able to submit the compromised version.
Security researchers at BlockSec conducted a thorough analysis of the de-obfuscated source code, confirming the full attack chain from API key theft through seed phrase exfiltration. Their findings revealed that the same malicious pattern existed in both biometric and password unlock flows, indicating a deliberate and well-engineered backdoor rather than an opportunistic exploit.
Lessons Learned
The Trust Wallet Christmas Day attack serves as a watershed moment for supply chain security in cryptocurrency. It demonstrates that even self-custody wallets—the gold standard for user-controlled digital assets—are only as secure as their update delivery mechanism. An attacker who can compromise the development pipeline can bypass every downstream security measure.
For the broader industry, the incident reinforced several critical principles. First, browser extension wallets remain a high-risk attack surface because users inherently trust updates pushed through official channels. Second, analytics and telemetry infrastructure represents a powerful exfiltration vector that can be weaponized to bypass network security controls. Third, holiday periods create amplified risk windows that attackers deliberately target.
The attack also underscored the importance of transparency and rapid response. Trust Wallet’s swift acknowledgment, clear communication about affected versions, and commitment to covering losses set a standard for how wallet providers should handle supply chain compromises. As the cryptocurrency industry recorded $3.14 billion in hacks during 2025, the Trust Wallet incident stands as a reminder that security is never a finished project—it is a continuous process of vigilance, verification, and improvement.
User Action Required
Users who had Trust Wallet Browser Extension v2.68 installed should immediately verify they are running v2.69 or later. Anyone who unlocked their wallet while running v2.68 should consider their seed phrases compromised and migrate funds to a new wallet generated on a clean device. Hardware wallet users were not affected by this specific attack but should always verify extension authenticity. As a general practice, users should delay installing wallet updates for 24 to 48 hours after release to allow the community time to verify the integrity of new versions, particularly when updates arrive during holiday periods or unusual timing
The best projects are the ones quietly shipping during bear markets
This is exactly the kind of development the space needs
Interesting perspective — I hadn’t considered that angle before
Mass adoption is happening incrementally — people just don’t notice