The $7M Trust Wallet Extension Hack: All You Need to Know

Trust Wallet confirmed that a malicious update to its official Chrome browser extension led to the theft of about $7 million in user funds. The breach affected only one version of the extension, version 2.68, and involved attackers stealing wallet seed phrases through embedded malicious code. Per reports, mobile users and other browser versions were not impacted.

What Happened in the Trust Wallet Extension Hack?

The incident began on December 24, 2025, when Trust Wallet released version 2.68.0 of its Chrome extension. At first, users reported scattered losses. Wallets were drained shortly after being accessed or imported through the extension. What looked like isolated cases quickly pointed to a wider problem.

On Christmas Day, on-chain investigator ZachXBT issued a public warning while stolen funds were still moving on-chain. He linked the wallet drains directly to the v2.68 update. His analysis helped establish that this was not user error or phishing, but a compromised browser extension.

By December 26, Trust Wallet confirmed the breach. The company stated that only version 2.68 was affected and urged users to immediately upgrade to version 2.69. The Chrome extension has about one million users, according to the Chrome Web Store listing.

Trust Wallet later confirmed that approximately $7 million in digital assets were stolen across multiple blockchains.

Which users were affected?

Only users who installed or logged into Trust Wallet’s Chrome extension version 2.68 before December 26 at 11:00 AM UTC were at risk.

According to Trust Wallet and security researchers:

• Mobile app users were not affected
• Other browser extension versions were not affected
• Wallets accessed through version 2.68 could be fully compromised

In many cases, wallets were emptied within minutes of unlocking the extension or importing a seed phrase. Hundreds of wallets were affected, including Bitcoin, Ethereum, and Solana addresses.

Trust Wallet CEO Eowyn Chen confirmed that users who logged in during the affected window should assume their wallets were exposed and generate new ones.

How Did the Malicious Code Work?

According to blockchain security firm SlowMist, the attack was not caused by a malicious third-party library. Instead. The attacker directly modified Trust Wallet’s own extension code. The malicious logic was embedded in the analytics component of the extension.

Here is how it worked:

• The code iterated through all wallets stored in the extension
• It triggered a mnemonic phrase request for each wallet
• When users unlocked the wallet, the encrypted seed phrase was decrypted
• The decrypted mnemonic was sent to an attacker-controlled server

The data was exfiltrated to api.metrics-trustwallet[.]com. The domain was registered on December 8, 2025. Requests to the server began on December 21, days before the malicious update was published.

The attacker used a legitimate open-source analytics library called posthog-js as a cover. Instead of sending data to the correct analytics endpoint, traffic was redirected to the attacker’s server.

SlowMist stated that this was an internal codebase compromise, not a poisoned dependency.

How Did the Compromised Extension Get Published?

Trust Wallet’s internal investigation found a critical failure in its release process. According to CEO Eowyn Chen, a leaked Chrome Web Store API key was used to publish the malicious version.

The compromised extension was uploaded on December 24 at 12:32 PM UTC. This bypassed Trust Wallet’s normal internal checks.

It shows that the attacker did not exploit users directly. Instead, they exploited distribution infrastructure. Supply-chain attacks like this are harder to detect because the software appears official and trusted.

How Much Was Stolen and Where did the Funds Go?

Trust Wallet and independent researchers estimate total losses at around $7 million.

Breakdown of known stolen assets includes:

• About $3 million in Bitcoin
• More than $3 million in Ethereum
• Smaller amounts in Solana and other assets

According to PeckShield and ZachXBT, the stolen funds were quickly laundered.

Key movements include:

• Around $3.3 million sent to ChangeNOW
• About $340,000 sent to FixedFloat
• Roughly $447,000 sent to KuCoin

More than $4 million passed through centralized exchanges. As of the last update, about $2.8 million remained in wallets controlled by the attacker.

This pattern mirrors other wallet compromise cases, where attackers use instant swap services and bridges to reduce traceability.

Trust Wallet’s Response and Compensation Plan

Trust Wallet pushed a quick fix. Version 2.69 was released on December 25 to remove the malicious code. Users were urged to disable version 2.68 immediately.

The company also launched a formal compensation program.

Affected users can submit claims through an official support form on Trust Wallet’s website. The process requires:

• Email address
• Country of residence
• Compromised wallet addresses
• Attacker receiving addresses
• Relevant transaction hashes

Trust Wallet stated that every claim will be individually verified.

"We are working around the clock to finalize the compensation process details and each case requires careful verification to ensure accuracy and security," the company said.

Changpeng Zhao, co-founder and former CEO of Binance, which acquired Trust Wallet in 2018, confirmed that losses will be covered.

Why This Hack Matters for Wallet Security

This incident highlights a recurring risk in crypto. Even non-custodial wallets depend on software distribution channels. When those channels fail, users can lose everything.

The Trust Wallet hack follows a broader pattern seen across the industry. Earlier this year, Coinbase disclosed that it would reimburse more than $400 million after a separate breach linked to bribed support staff in India.

Different attack methods, same outcome. Trust assumptions break at the edges.

For users, this reinforces basic security rules:

• Treat browser extensions as high-risk software
• Update immediately when fixes are released
• Move funds if a wallet may be compromised
• Never reuse exposed seed phrases

For wallet providers, the lesson is about release security. API keys, build pipelines, and store credentials are now prime attack targets.

Conclusion

The $7 million Trust Wallet extension hack was the result of a supply-chain compromise, not user error. Malicious code embedded in version 2.68 of the Chrome extension harvested seed phrases and drained wallets across multiple blockchains. 

rust Wallet responded by removing the affected version, releasing a fix, and committing to full reimbursement. The incident underscores how browser extensions remain a critical attack surface in crypto and why both users and developers must treat distribution security as seriously as private key management.

Resources

1. Trust Wallet on X: Announcement on Dec. 26

2. Slowmist post on X: Report on Trust Wallet exploit

3. PeckShield post on X: On Trust Wallet exploit