Trust Wallet Chrome Extension Breach Linked to $7 Million Crypto Theft
Background and Timeline
During the 2025 holiday break, users of Trust Wallet’s Chrome extension began reporting that their crypto wallets were suddenly drained shortly after interacting with the extension. Trust Wallet later confirmed a security incident affecting only Chrome extension version 2.68, and multiple sources reported losses reaching roughly $7 million.
On December 24, 2025, Trust Wallet’s Chrome extension version 2.68 was released. Soon after, users began reporting drained funds across social media.
Trust Wallet made a follow-up update urging affected users to update to version 2.69, and Binance founder Changpeng Zhao (CZ) publicly confirmed the scope of theft and stated reimbursement would follow.
How the Update Was Compromised
Trust Wallet CEO Eowyn Chen stated that the malicious v2.68 extension was not released through Trust Wallet’s internal manual process, and that current findings suggest it was published externally through a leaked Chrome Web Store API key, bypassing Trust Wallet’s release checks.
Chen said the malicious version passed review and was released on Dec 24, 2025 at 12:32 UTC.
Security researchers later found that the malicious logic appeared in a bundled JavaScript file named 4482.js, which attempted to exfiltrate sensitive wallet data to an external endpoint: api.metrics-trustwallet[.]com.
According to SlowMist, the malicious code iterated through wallets stored in the extension, triggered mnemonic recovery prompts, decrypted the mnemonic once the user unlocked the wallet, and transmitted the mnemonic phrase to the attacker-controlled domain.
SlowMist also reported that the metrics-trustwallet[.]com domain was registered on December 8, 2025, with initial activity starting around December 21, 2025.
What Was Stolen
Investigator reporting indicated that stolen assets included approximately $3 million in Bitcoin and more than $3 million in Ethereum, along with smaller losses on other chains.
Blockchain investigator ZachXBT reportedly noted that the incident impacted hundreds of victims.
PeckShield reported that a large portion of funds were routed into centralized exchanges and swap services, including ChangeNOW, FixedFloat, and KuCoin, consistent with laundering behavior.
Parallel Phishing Campaign
Threat actors also ran phishing campaigns at the same time as the extension compromise. Multiple accounts pushed users toward fix-trustwallet[.]com, a site that mimicked Trust Wallet branding and prompted users to enter their seed phrase under the guise of fixing a vulnerability.
WHOIS data suggested this phishing domain used the same registrar as metrics-trustwallet[.]com, which raised suspicion that both domains may have been controlled by the same actor or group.
Trust Wallet Response and Reimbursement
Trust Wallet publicly stated it would refund affected users and warned users to avoid non-official communications. The company also advised extension users to upgrade to version 2.69, and confirmed that mobile users were not affected.
Chen stated the company suspended the malicious domain, expired release APIs to prevent new releases for 2 weeks, and began collecting victim tickets for reimbursements.
Trust Wallet asked victims to complete a support form to start the compensation process, while warning about scams using fake “compensation” forms and impersonated accounts.
What Users Should Do
Trust Wallet’s instructions for mitigating risk were explicit:
- Do not open the browser extension until you have updated to version 2.69.
- Update only through the official Chrome Web Store listing.
- If you used v2.68 and exposed your recovery phrase, treat it as permanently compromised and move funds to a new wallet created with a fresh seed phrase.
- Ignore any site or person asking for your seed phrase. Legitimate support will never ask for it.
Security researchers and incident reporting also repeated the long-standing advice that large holdings should remain in cold storage, since browser-based hot wallets remain attractive targets.
What’s Next?
Trust Wallet continues investigating how the attacker obtained the ability to publish the malicious extension update and what allowed the update to pass review checks. The incident raises broader questions about release security, API key protection, Chrome Web Store review mechanisms, and extension trust models.
For end users, the main takeaway remains simple: a compromised browser wallet extension can expose recovery phrases, which grants attackers full control of funds. Moving quickly and using only official channels matters most in incidents like this.
Sources
- The Hacker News — Trust Wallet Chrome Extension Breach Caused $7 Million Crypto Loss via Malicious Code (Dec 26, 2025)
https://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.html - BleepingComputer — Trust Wallet confirms extension hack led to $7 million crypto theft (Dec 26, 2025)
https://www.bleepingcomputer.com/news/security/trust-wallet-confirms-extension-hack-led-to-7-million-crypto-theft/ - Forbes — Crypto Security Warning: Trust Wallet Confirms $7 Million Chrome Hack (Updated Dec 28, 2025)
https://www.forbes.com/sites/daveywinder/2025/12/28/crypto-security-warning-trust-wallet-confirms-7-million-chrome-hack/
Get In Touch
