Trust Wallet users are facing serious security alarms: the desktop Chrome browser extension version 2.68 was compromised in a supply-chain attack, draining approximately $7 million from unsuspecting users. Affected individuals—estimated in the low thousands—are encouraged to immediately disable version 2.68, update to version 2.69, and transfer any remaining funds to newly created wallets with fresh seed phrases. These steps are critical to safeguarding assets and limiting ongoing risk.
What Went Wrong with the Chrome Extension
Supply-Chain Breach via Chrome Web Store API
Investigations show that attackers infiltrated the Chrome extension’s distribution pipeline—not via phishing, but by exploiting leaked developer credentials or API keys. This allowed them to upload a malicious build (v2.68) directly to the Chrome Web Store, bypassing Trust Wallet’s internal review process. The malicious update rolled out on December 24, 2025 at 12:32 p.m. UTC.
Silent Extraction of Seed Phrases
Once installed, the compromised extension executed code designed to harvest encrypted mnemonic phrases. These were decrypted locally and transmitted to attacker-controlled domains (notably metrics-trustwallet.com). Victims who unlocked the extension and entered their passwords triggered this backdoor, enabling rapid wallet draining.
Broad Impact and Rapid Theft
Within hours of the compromised extension’s deployment, hundreds to thousands of wallets were emptied. Some estimates place the total stolen at $7 million, with a notable share of that routed through centralized exchanges like ChangeNOW, FixedFloat, and KuCoin—though an amount in the millions still remains in attacker-controlled addresses.
Response from Trust Wallet and the Crypto Community
Immediate Mitigation Actions
Trust Wallet urged all users of the Chrome extension v2.68 to:
- Disable the extension immediately.
- Update to the secure v2.69 via the official Chrome Web Store.
- Move remaining funds to new wallets.
- Verify authenticity of messages—scammers are active post-incident.
The company also reportedly began processing reimbursements for verified victims, though they stressed the importance of validating claims over speed.
Victim Scale and Noise in Compensation Claims
Further forensic analysis identified 2,596 wallet addresses as confirmed victims. Despite this, Trust Wallet received nearly 5,000 compensation claims, many of which appeared to be duplicative or fraudulent—highlighting the complexity of accurately reimbursing legitimate users.
Lessons Learned and Broader Implications
Browser-Based Wallets Under Scrutiny
This incident reiterates the vulnerabilities inherent in browser-based wallets. A compromised update—even from official sources—can trigger massive asset breaches. Vulnerability wasn’t in the underlying blockchain, but in how updates are delivered and executed.
Surge in Cold Storage and Air-Gapped Solutions
Security response trends point toward increasing adoption of air-gapped hardware wallets, which operate entirely offline and avoid attack surfaces like supply-chain compromise. Some reports show double-digit year-over-year growth in adoption by retail and institutional users.
Heightened Vigilance in Crypto Software Ecosystems
The need for robust zero-trust frameworks within fintech is now clearer than ever. Decentralized and permissioned control systems, combined with immutable logging and layered authentication, could reduce insider threats and software supply-chain risks in the future.
Voices from the User Community
Across Reddit, users shared harrowing experiences:
-
A Trust Wallet user described losing funds despite maintaining strict security hygiene:
“Trust Wallet is NOT safe! My tokens disappeared with no transaction history… support was useless…” -
Another recounted a deceptive swap UI that led to $40,000 lost—highlighting UX design flaws that can disguise malicious or illiquid tokens:
“…interface clearly displayed USDC… but I ended up with nearly worthless Wormhole USDC…”
These accounts underline that security threats extend beyond code; they include design ambiguity and poor UX that open users up to unintended errors.
Conclusion
Trust Wallet’s browser extension incident serves as a powerful reminder: user protection demands defense-in-depth, supply-chain transparency, and a shift toward isolated, secure custody methods. For now, users should:
- Immediately disable any version 2.68 of the Trust Wallet Chrome extension.
- Update to version 2.69 only from the official Chrome Web Store.
- Transfer assets to fresh, secure wallets with new seed phrases.
- Monitor official channels for compensation and remain wary of impostor messages.
FAQs
Q1: Who was affected by the Trust Wallet security breach?
Only users of the Chrome browser extension version 2.68 who logged in between December 24–26, 2025 were affected. Mobile app users or other extension versions were not impacted.
Q2: How much value was stolen, and what’s being done?
Roughly $7 million worth of crypto was reportedly stolen. Trust Wallet has issued warnings, rolled out version 2.69, and started a reimbursement process for confirmed victims.
Q3: How can users protect themselves going forward?
Switch to hardware wallets—especially air-gapped models that never connect to the internet. Always verify updates come from official sources, and consider using wallets with granular zero-trust or multisig features.
Q4: What should users do if they think their wallet was compromised?
Immediately transfer funds to a new wallet with a new seed phrase and report the compromised wallet to Trust Wallet for possible compensation—even as validation may take time.
Q5: Are browser wallets inherently unsafe?
Not inherently—but they carry elevated risk vectors, especially around updates and extensions. Offline hardware solutions remain the most secure method for long-term custody.
