Trust Wallet has issued an urgent advisory asking users to update its Google Chrome browser extension after confirming a security incident that resulted in cryptocurrency losses totaling approximately $7 million.
The breach specifically affected Trust Wallet Chrome Extension version 2.68, while users who upgraded to version 2.69 are no longer at risk. According to the Chrome Web Store, the extension has nearly one million active users. Trust Wallet confirmed that mobile app users and other browser extensions were not impacted.
In an official statement shared on X, Trust Wallet acknowledged the losses and assured users that compensation efforts are underway. The company emphasized that supporting affected users remains its highest priority and confirmed that all verified victims will be refunded.
Users have also been warned to avoid interacting with any communications not issued through Trust Wallet’s official channels, as scammers are actively exploiting the situation.
How the Attack Worked
Blockchain security firm SlowMist revealed that the compromised version introduced malicious logic capable of scanning all wallets stored in the browser extension. Once accessed, the code triggered requests for each wallet’s mnemonic recovery phrase.
The encrypted mnemonic phrases were decrypted using the password or passkey entered during wallet unlock. After decryption, the data was transmitted to an attacker-controlled server at api.metrics-trustwallet[.]com.
Further investigation showed that the domain metrics-trustwallet[.]com was registered on December 8, 2025, with malicious activity beginning on December 21, 2025. The attacker reportedly abused the open-source analytics library posthog-js to covertly collect wallet information.
Financial Impact and Laundering Activity
Stolen assets include approximately $3 million in Bitcoin, more than $3 million in Ethereum, and a smaller amount in Solana. Blockchain investigators observed that the stolen funds were laundered through centralized exchanges and cross-chain bridges.
According to PeckShield, over $4 million was routed through centralized exchanges, including ChangeNOW, FixedFloat, and KuCoin. An estimated $2.8 million remains in wallets controlled by the attacker.
Blockchain investigator ZachXBT confirmed that the incident has impacted hundreds of victims.
Insider Threat or Compromised Infrastructure
SlowMist clarified that the breach did not originate from a compromised third-party dependency, such as a malicious npm package. Instead, the attacker directly modified Trust Wallet’s internal extension code and misused legitimate analytics functionality to exfiltrate data.
Trust Wallet stated that the incident may involve a nation-state actor, suggesting the possibility that attacker(s) gained access to developer systems or deployment credentials prior to December 8, 2025. Binance co-founder Changpeng Zhao also hinted that the breach could be the result of insider involvement, though no direct evidence has been presented.
Official Update and Compensation Process
In a follow-up announcement, Trust Wallet urged affected users to submit claims via its official support portal at trustwallet-support.freshdesk[.]com. Required details include contact information, country of residence, compromised wallet addresses, transaction hashes, and destination addresses of the stolen funds.
The company also warned users about ongoing scams involving fake compensation forms, impersonated support accounts, and Telegram advertisements. Users were strongly advised never to share their recovery phrases.
Trust Wallet CEO Eowyn Chen confirmed that the malicious extension version was not released through internal deployment processes. According to the investigation, a leaked Chrome Web Store API key was used to publish version 2.68, bypassing standard security checks.
The malicious update was released on December 24, 2025, at 12:32 p.m. UTC. Since then, Trust Wallet has suspended the malicious domain, invalidated all release API keys, and initiated reimbursements.
Trust Wallet has identified 2,596 compromised wallet addresses, while receiving nearly 5,000 compensation claims, indicating a high number of duplicate or fraudulent submissions. The company stated that strict verification procedures are necessary to ensure refunds reach legitimate victims.
(This article was updated to reflect the latest confirmed developments.)
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
