Trust Wallet Chrome Extension Hack Drains $7 Million in Crypto — What You Need to Know

In a shocking incident that rocked the cryptocurrency community just days after Christmas 2025, a security breach involving the Trust Wallet Chrome extension has resulted in nearly $7 million worth of digital assets being stolen from users’ wallets. The crypto wallet provider has confirmed the incident, urged users to update immediately, and promised to refund affected victims — but the breach also highlights deeper safety risks in browser-based crypto tooling and supply-chain security.

What Happened: A Compromised Browser Extension

Late on December 24, 2025, a malicious update to Trust Wallet’s Google Chrome extension (version 2.68) was published on the Chrome Web Store. Within hours, users began reporting that their wallets were being drained without authorization — and the on-chain activity confirmed widespread theft across multiple major blockchains.

Estimated Losses

• Total Stolen: Approximately $7 million in cryptocurrency.
• Affected Assets: Bitcoin (BTC), Ethereum (ETH), Solana (SOL), and other tokens stored in affected wallets.
• Victims: Hundreds of users experienced unauthorized withdrawals from self-custody wallets.

Investigators tracked the stolen funds as they moved through centralized exchanges and cross-chain bridges, noting transfers to services such as ChangeNOW, KuCoin, FixedFloat, and others. A substantial share of the stolen crypto was laundered within hours of the breach.

How It Worked: Malicious Code in v2.68

Security analysis reveals that the extension’s code was tampered with before or during the publication process, resulting in embedded malicious logic that stole critical wallet data:

• The compromised extension contained hidden scripts that monitored wallet interactions.
• When a user imported or unlocked a seed phrase, the code triggered and exfiltrated it to a fraudulent domain (“api.metrics-trustwallet[.]com”).
• This fake domain was registered days earlier, indicating preparation by the attackers.
• Instead of merely scanning analytics, the PostHog JavaScript library shipped with the extension was repurposed as an exfiltration channel, funneling sensitive wallet data to attacker servers.

Crucially, this was not a typical cryptographic vulnerability or blockchain protocol exploit — rather, it was a supply-chain breach affecting front-end wallet software. By compromising the extension update, the attackers bypassed traditional blockchain defenses and directly accessed users’ seed phrases — the keys to their funds.

Scope and Impact

Who Was Affected?

• The breach only affected the Chrome browser extension version 2.68.
• Users who had installed this version and opened or unlocked their wallet within it were at risk.
• Mobile app users (iOS/Android) and holders using other extension versions were not impacted.

With Trust Wallet’s Chrome extension boasting an approximate one million users, the number of potentially affected individuals was large, though the exact figure of impacted wallets remains under review.

What Trust Wallet Has Said

Trust Wallet executives rapidly acknowledged the issue after widespread reports on social media and blockchain tracking platforms. The company’s official statements and those of Binance co-founder Changpeng Zhao (CZ) underscored the seriousness of the incident:

• Trust Wallet confirmed a security incident affecting only version 2.68.
• Users are urged to disable the compromised extension immediately and update to version 2.69, which fixes the issue.
• Trust Wallet pledged to refund all affected users, stating that funds are “SAFU” (Secure Asset Fund for Users) and that compensation will be provided.
• Official reimbursement claims are being handled through an official support portal to prevent scams from impersonators.

Trust Wallet also warned users not to interact with unofficial messages or links, as scammers have already begun spreading fake “compensation” or “fix” sites designed to steal seed phrases.

Suspected Attack Vector: Supply Chain or API Key Leak

The latest findings suggest that the malicious extension version was not published through Trust Wallet’s standard internal release process. Instead, attackers appear to have:

• Obtained access to the Chrome Web Store API key used for publishing the extension.
• Used that key to upload the tampered version, which passed Google’s review and was made available as an update.

How the attackers got this access — whether through a compromised developer device, stolen credentials, or an insider — is still under investigation, but the incident has raised serious questions about internal security controls and extension release practices.

Binance co-founder CZ hinted at the possibility of insider involvement or a highly-targeted supply-chain attack, though no firm evidence has yet been shared publicly to confirm that claim.

How the Theft Unfolded on Chain

Blockchain investigator ZachXBT and others quickly traced the exfiltration and theft activity:

• Within hours of the extension’s release, unauthorized transfers began appearing from affected wallets.
• Publicly available on-chain data shows rapid draining of cryptocurrency across EVM-based tokens, BTC, and SOL networks.
• Multiple receiving addresses were used, followed by movement through centralized exchanges and bridges to obfuscate the stolen funds.

Additionally, scammers launched phishing domains after the breach to take advantage of users seeking help — a tactic common in high-profile digital asset incidents.

How Users Can Protect Themselves Now

If you still have the Trust Wallet Chrome extension installed:

1. Disable the extension immediately in your Chrome browser.
2. Do not open or unlock your wallet using version 2.68.
3. Update to version 2.69 through the official Chrome Web Store link.
4. If you suspect your wallet was open while compromised:
   • Move funds to a new, secure wallet.
   • Revoke permissions connected to the old extension.
   • Consider restoring a new wallet with a fresh seed phrase if compromise is confirmed.

Never enter your seed phrase on websites or forms claiming to provide fixes or compensation — such sites are often scams trying to steal even more funds.

Broader Implications for Crypto Security

This incident underscores a major risk vector for self-custody wallets: supply chain and software distribution compromise. Even legitimate updates can turn dangerous if attackers intercept the build or publishing process. Browser extensions, which often have broad access to sensitive operations, can act as fertile ground for malicious actors when not tightly controlled.

Security experts warn that:

• Browser-based wallets carry inherent risk, especially in automated update systems.
• Regular auditing of developer tools and publishing credentials is essential to prevent unauthorized releases.
• Vigilance around analytics libraries and third-party dependencies is critical since attackers may misuse them as covert channels.

Final Takeaways

This Trust Wallet Chrome extension breach is a stark reminder that even trusted, widely-used crypto tools can be weaponized if their distribution chain is compromised. With nearly $7 million in user funds affected, the incident will likely trigger wider scrutiny of extension platforms, wallet security practices, and supply-chain defenses in the Web3 ecosystem.

Key points to remember:

• The incident only impacted Chrome extension version 2.68.
• Trust Wallet has released version 2.69 and urges users to update immediately.
• A refund program is underway for affected users.
• Users should secure their wallets now and avoid unofficial tools or links.