The recent threat to Trust Wallet’s security caught just over 200 users by surprise. Malicious code in the Chrome browser extension version 2.68 permitted hackers to siphon off around $7 million in several cryptocurrencies. The attack in practice Users with the compromised extension enabled who logged in prior to 26 Dec 2025, 11 am UTC were at risk.
The bad code circumvented the extension by running through every wallet saved in storage. This caused it to automatically prompt for the mnemonic phrase for each wallet accessed. This shocking vulnerability provided attackers an opportunity to reap sensitive wallet data. Consequently, they drained users’ digital wallets, including hundreds of thousands of Bitcoin, Ethereum, and Solana.
Malicious Code Uncovered
The security vulnerability was initially discovered in the Chrome extension version 2.68, released on December 24, 2025. Trust Wallet’s CEO, Eowyn Chen, expressed that the bad extension did not go public through their normal internal distribution pipeline.
“The malicious extension v2.68 was NOT released through our internal manual process,” – Eowyn Chen
Chen’s early findings showing that the extension was likely issued outside DoD’s organization. This was probably accomplished by the use of a leaking Chrome Web Store API key. This vulnerability caused the malicious code to slip past typical release quality checks and drop into production without sufficient eyes on it.
This code successfully weaponized the open-source full-chain analytics library posthog-js. This exposed users of wallet services to attacks, making it easy for attackers to obtain information to identify wallet users. Per the blockchain investigator known as ZachXBT, the hack has affected over 1,000 victims.
Timeline of Events
For illustration, on December 8, 2025, a bad actor might register the domain “metrics-trustwallet.com.” Then just a few days later, on December 21, 2025, they began querying “api.metrics-trustwallet.com.” Additionally, any users who downloaded the extension while the vulnerability was active are at risk of having their mnemonic phrases compromised. That is, their wallets might start flowing away as a consequence.
“Once decrypted, the mnemonic phrase is sent to the attacker’s server api.metrics-trustwallet.com,” – SlowMist
Because of this exploit, attackers have successfully drained numerous different digital assets from users’ wallets. They stole at least $3 million worth of Bitcoin, over $3 million worth of Ethereum, and $431 in Solana. The devastating losses only add up as investigations are ongoing.
Trust Wallet’s Response
In response to the incident, Trust Wallet has implemented immediate measures to enhance user protection. The company has suspended the malicious domain and expired all release APIs for the compromised version. Additionally, they are working through reimbursements to impacted drivers.
“We’ve confirmed that approximately $7 million has been impacted and we will ensure all affected users are refunded,” – Trust Wallet
Chen emphasized the company’s commitment to supporting affected users and highlighted that verifying wallet ownership is crucial to ensure funds are returned correctly.
“Because of this, accurate verification of wallet ownership is critical to ensure funds are returned to the right people,” – Eowyn Chen
Trust Wallet’s advice to all users is to always double-check links. To keep your assets safe moving forward, always go directly to official Trust Wallet channels.
“Always verify links, never share your recovery phrase, and use official Trust Wallet channels only,” – Trust Wallet