1
0
This article was first published on The Bit Journal.
Over the Christmas week, Trust Wallet users started reporting a nightmare scenario: funds leaving their wallets without any approval, right after they updated the Trust Wallet Chrome extension. The common thread wasnât a dodgy link or a suspicious dApp. It was the extension update itself.
Multiple investigators and security watchers quickly traced the activity back to Trust Wallet Chrome extension version 2.68.0, which was released on December 24, 2025. Within a short window, reports of âwallet drainsâ spread across social media, and estimates for losses climbed past $6 million before landing around $7 million as the picture became clearer.
Trust Wallet has since acknowledged the incident and pushed users toward a patched extension version, while Binance co-founder Changpeng Zhao (CZ) publicly said the team will reimburse affected users.
According to reporting and security analysis, Trust Wallet released version 2.68.0 of its Chrome extension on December 24. Soon after, users began complaining that funds were disappearing after they interacted with the extension.
The key detail is the âhowâ: in many cases, the drain wasnât tied to a user signing an obviously malicious transaction. Instead, researchers focused on whether the extension update itself contained suspicious logic.
Security researchers highlighted a bundled JavaScript file inside the extension (reported as 4482.js) that appeared to exfiltrate sensitive wallet data to an external endpoint: api.metrics-trustwallet[.]com. The code was described as posing as analytics, but triggering when a seed phrase was imported, which is exactly the moment you never want anything âphoning home.â
This matters because browser wallets sit in a privileged position. They can see transaction flows, interact with dApps, and in many designs they touch the most sensitive inputs a user has: signing authority and recovery data. If the update pipeline gets compromised, users can do everything ârightâ and still get hit.
Trust Wallet confirmed a security incident affecting the Chrome extension and told users to upgrade to version 2.69. It also stated that the issue was limited to extension version 2.68.0, and that mobile-only users and other extension versions were not impacted.
BleepingComputer also noted that version 2.69 appeared on the Chrome Web Store shortly after the reports (described as âquietly releasedâ), aligning with the idea of a rapid patch and containment step.
CZ addressed the situation publicly on X, stating that roughly $7 million was affected and that Trust Wallet would cover the losses, using the familiar âSAFUâ reassurance that has become cryptoâs shorthand for âyouâll be made whole.â He also said the team was still investigating how a compromised version was able to get submitted/published.
That commitment is significant because it shifts the story from âusers are on their ownâ to âthe platform is taking responsibility,â at least financially. It doesnât erase the incident, but it does reduce the long-tail damage for victims who woke up to empty wallets during a holiday lull.
While early estimates floated around $6M+, later reporting and public statements converged around $7M affected.
Some coverage also described the victim set as spanning multiple networks, including EVM chains, and references to Bitcoin and Solana addresses being involved in the broader incident reporting.
Users, understandably, were furious. The timing did not help. When something breaks on a quiet holiday week, response time slows down, and attackers know it.
As if the compromised update wasnât enough, researchers observed opportunistic phishing campaigns riding the panic.
BleepingComputer reported phishing domains such as fix-trustwallet[.]com, impersonating Trust Wallet branding and prompting users to enter their seed phrase under the pretense of applying a âvulnerability fix.â Thatâs the classic follow-up scam: âYour wallet is at risk, enter your recovery phrase to secure it.â
If you take only one lesson from this entire episode, make it this: no legitimate wallet fix will ever require you to type your seed phrase into a website.
If you used the Trust Wallet Chrome extension around the update window, the safest path is the boring one:
Do not open version 2.68.0.
Update to version 2.69 via the official Chrome extension update flow and verify the version number.
If you suspect exposure, move remaining funds to a brand-new wallet created with a fresh seed phrase (treat the old phrase as permanently unsafe).
Ignore âsupportâ DMs, random links, and âfixâ websites. The post-incident phishing wave is real.
This incident is a textbook reminder that âself-custodyâ doesnât automatically mean âsafe.â You can hold your own keys and still be exposed through:
compromised update channels
poisoned dependencies
malicious or hijacked extension releases
social engineering thatâs timed to perfection
And the numbers show why attackers keep trying. Chainalysis reported over $3.4 billion stolen in 2025 (January through early December), with a major surge in personal wallet compromises: about 158,000 incidents affecting at least 80,000 unique victims, even as the total dollar value stolen from individuals declined versus 2024.
Different datasets and trackers can vary on totals depending on what they count and when they cut off, but the direction is the same: attackers are spreading out, targeting more end users, and leaning on distribution weaknesses and human panic as often as they lean on smart contract exploits.
A compromised Trust Wallet Chrome extension update (v2.68.0) set off a rapid wave of wallet drains after its December 24, 2025 release, with losses ultimately discussed around the $7 million mark. Trust Wallet told users to disable the affected version and move to v2.69, while CZ publicly said affected users would be reimbursed and that an investigation is underway.
Beyond the immediate loss figure, the real headline is the risk model: browser wallets are incredibly convenient, but convenience comes with an attack surface, and supply-chain style incidents can bypass the usual âdonât click shady linksâ advice.
Browser Extension Wallet: A wallet that runs inside your browser (Chrome/Brave, etc.) to manage keys and interact with dApps.
Seed Phrase (Recovery Phrase): The master backup that can restore full access to a wallet. If someone gets it, they effectively become you.
SAFU: Crypto slang popularized by Binance, used to signal user protection/reimbursement commitments.
Supply-Chain Attack: When attackers compromise software distribution, build systems, or updates rather than targeting users one-by-one.
Exfiltration: Unauthorized sending of sensitive data from a system to an external server.
What exactly was hacked?
Reporting and company messaging indicate the issue was limited to Trust Wallet Chrome extension version 2.68.0, released on December 24, 2025, with users instructed to update to 2.69.
How much was stolen?
Public reporting and CZâs statement put the affected amount around $7 million, while earlier estimates cited losses exceeding $6 million.
Will victims be reimbursed?
CZ said Trust Wallet will cover losses for affected users and that âUser funds are SAFU.â
How did the drain happen?
Security researchers pointed to suspicious code in the compromised extension build that appeared to exfiltrate wallet data to an external domain, including activity triggered when a seed phrase is imported.
Whatâs the most important safety step?
Update to 2.69, and if you suspect your seed phrase was exposed, migrate assets to a new wallet with a new phrase. Also, do not fall for phishing âfixâ sites asking for your recovery phrase.
Read More: $7 Million Stolen in Trust Wallet Chrome Hack: CZ Confirms Full Compensation">$7 Million Stolen in Trust Wallet Chrome Hack: CZ Confirms Full Compensation
1
0
Manage all your crypto, NFT and DeFi from one placeSecurely connect the portfolio youâre using to start.
