Trust Wallet browser extension breached, $7 Million stolen in supply chain attack
Take action: If you use Trust Wallet Chrome extension version 2.68, your funds are probably already stolen. Update to version 2.69 and treat your wallet as compromised. Create a new wallet with a fresh recovery phrase and immediately move all your crypto assets (if they are not stolen) immediately. Your old credentials are leaked and must not be reused.
Learn More
Trust Wallet is reporting a security breach affecting its Chrome browser extension version 2.68, resulting in the theft of approximately $7 million in cryptocurrency from hundreds of users on Christmas Day 2025.
The incident appears to be caused from malicious code directly inserted into the extension's codebase. Binance co-founder Changpeng Zhao, whose company owns Trust Wallet, has assured affected users they will receive full reimbursement through the company's Secure Asset Fund for Users (SAFU).
Attackers apparently gained control of Trust Wallet developer devices or deployment permissions as early as December 8, 2025, when the malicious domain metrics-trustwallet[.]com was first registered. Security researchers from SlowMist discovered that version 2.68, released on December 24, contained malicious code embedded within the extension's analytics logic that activated when users unlocked their wallets or imported seed phrases. The malicious code iterated through all stored wallets, requested encrypted mnemonic phrases, and decrypted them using passwords or passkeyPasswords entered during wallet unlock. The stolen credentials were then exfiltrated to an attacker-controlled server disguised as legitimate Trust Wallet infrastructure at api.metrics-trustwallet[.]com, with the first malicious requests detected on December 21, 2025.
Compromised data included:
- Mnemonic phrases (seed phrases)
- Private keys
- User passwords and passkeyPasswords
The attackers dused PostHog JS, an open-source analytics library, as their data exfiltration channel. This allowed them to disguise malicious traffic as legitimate analytics data, redirecting it to their controlled server. The breach affected only users who installed or used version 2.68 of the Chrome browser extension. The extension has 1 million users listed on the Chrome Web Store. Mobile app users and those running other browser extension are not affected.
Trust Wallet issued an emergency advisory on December 25, urging users to disable version 2.68 and upgrade to the patched version 2.69. According to blockchain investigator ZachXBT, hundreds of victims reported wallet drains occurring within minutes of importing seed phrases or accessing existing wallets through the compromised extension.
Analysis of stolen assets reveals the attackers laundered funds through multiple channels.
The incident has raised serious questions about supply chain security in cryptocurrency wallet development and deployment processes. SlowMist characterized this as a professional APT-level attack. The malicious code modification occurred within Trust Wallet's internal codebase so there is quite possibly an internal brach.
It's not clear how attackers gained access to the code. Changpeng Zhao suggested the breach was "most likely" the work of an insider, but no concrete evidence has been publicly disclosed. Trust Wallet has committed to covering all losses, with the company actively finalizing the refund process for affected users. The firm also warned users to avoid interacting with any messages outside official channels, as scammers have already begun impersonating the support team during the remediation effort.
Users who installed version 2.68 are advised to immediately create new wallets with fresh recovery phrases and transfer any remaining assets, as those credentials should be considered permanently compromised.
