Trust Wallet has urged users to immediately update its Google Chrome extension following a security incident that resulted in the theft of approximately $7 million in digital assets. The breach affects version 2.68 of the multi-chain, non-custodial cryptocurrency wallet, which is installed by around one million users according to the Chrome Web Store. Users are advised to upgrade to version 2.69 to mitigate risks. Trust Wallet emphasized that mobile-only users and all other browser extension versions remain unaffected, and urged users to interact only with official company channels to avoid scams.
Investigations by blockchain security firm SlowMist revealed that the malicious v2.68 update contained code designed to iterate through all wallets stored in the extension, prompting users to input their mnemonic phrases. These phrases, once decrypted using the wallet password, were then sent to an attacker-controlled server at api.metrics-trustwallet[.]com. The domain was registered on December 8, 2025, with initial malicious activity detected on December 21, 2025. Analysis further showed the attacker exploited the PostHog open-source analytics library to extract sensitive wallet information, making the breach particularly stealthy.
The stolen assets include roughly $3 million in Bitcoin, over $3 million in Ethereum, and minor amounts in Solana. Funds were laundered through centralized exchanges and cross-chain bridges. Blockchain investigator ZachXBT noted that while $2.8 million remains in hacker-controlled wallets, more than $4 million has already been sent to exchanges including ChangeNOW, FixedFloat, and KuCoin. SlowMist confirmed that the backdoor originated from malicious modification of Trust Wallet’s internal extension code rather than an injected third-party dependency, with attackers directly manipulating the PostHog analytics logic to exfiltrate data.
Trust Wallet CEO Eowyn Chen explained that the malicious extension was not released through internal channels but likely published externally using a leaked Chrome Web Store API key, allowing it to bypass standard review processes. The extension went live on December 24, 2025, at 12:32 p.m. UTC. Following the breach, Trust Wallet suspended the malicious domain, expired all release APIs, and began processing reimbursements for affected users. Victims are instructed to submit compensation claims via trustwallet-support.freshdesk[.]com, providing details such as compromised wallet addresses, transaction hashes, and contact information. The company cautioned that scammers are attempting to exploit the situation with fake forms and impersonated accounts, urging users never to share recovery phrases and to verify all communications through official channels.
The incident has raised concerns about potential insider involvement or nation-state links, with Binance co-founder Changpeng Zhao suggesting an insider could have been responsible, though no evidence was presented. Trust Wallet continues to investigate the breach while prioritizing support and refunds for impacted users, highlighting the ongoing risks faced by browser-based cryptocurrency wallets.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
