$7 Million Stolen in Trust Wallet Chrome Hack: CZ Confirms Full Compensation

This article was first published on The Bit Journal.

Over the Christmas week, Trust Wallet users started reporting a nightmare scenario: funds leaving their wallets without any approval, right after they updated the Trust Wallet Chrome extension. The common thread wasn’t a dodgy link or a suspicious dApp. It was the extension update itself.

Multiple investigators and security watchers quickly traced the activity back to Trust Wallet Chrome extension version 2.68.0, which was released on December 24, 2025. Within a short window, reports of “wallet drains” spread across social media, and estimates for losses climbed past $6 million before landing around $7 million as the picture became clearer.

Trust Wallet has since acknowledged the incident and pushed users toward a patched extension version, while Binance co-founder Changpeng Zhao (CZ) publicly said the team will reimburse affected users.

What Actually Happened

The trigger: Chrome extension version 2.68.0 (December 24)

According to reporting and security analysis, Trust Wallet released version 2.68.0 of its Chrome extension on December 24. Soon after, users began complaining that funds were disappearing after they interacted with the extension.

The key detail is the “how”: in many cases, the drain wasn’t tied to a user signing an obviously malicious transaction. Instead, researchers focused on whether the extension update itself contained suspicious logic.

Suspicious code: “analytics” that didn’t behave like analytics

Security researchers highlighted a bundled JavaScript file inside the extension (reported as 4482.js) that appeared to exfiltrate sensitive wallet data to an external endpoint: api.metrics-trustwallet[.]com. The code was described as posing as analytics, but triggering when a seed phrase was imported, which is exactly the moment you never want anything “phoning home.”

This matters because browser wallets sit in a privileged position. They can see transaction flows, interact with dApps, and in many designs they touch the most sensitive inputs a user has: signing authority and recovery data. If the update pipeline gets compromised, users can do everything “right” and still get hit.

How Trust Wallet Responded

Trust Wallet confirmed a security incident affecting the Chrome extension and told users to upgrade to version 2.69. It also stated that the issue was limited to extension version 2.68.0, and that mobile-only users and other extension versions were not impacted.

BleepingComputer also noted that version 2.69 appeared on the Chrome Web Store shortly after the reports (described as “quietly released”), aligning with the idea of a rapid patch and containment step.

CZ’s Reimbursement Pledge: “User funds are SAFU”

CZ addressed the situation publicly on X, stating that roughly $7 million was affected and that Trust Wallet would cover the losses, using the familiar “SAFU” reassurance that has become crypto’s shorthand for “you’ll be made whole.” He also said the team was still investigating how a compromised version was able to get submitted/published.

That commitment is significant because it shifts the story from “users are on their own” to “the platform is taking responsibility,” at least financially. It doesn’t erase the incident, but it does reduce the long-tail damage for victims who woke up to empty wallets during a holiday lull.

On-Chain and Community Signals: Multi-chain impact and fast-moving drains

While early estimates floated around $6M+, later reporting and public statements converged around $7M affected.

Some coverage also described the victim set as spanning multiple networks, including EVM chains, and references to Bitcoin and Solana addresses being involved in the broader incident reporting.

Users, understandably, were furious. The timing did not help. When something breaks on a quiet holiday week, response time slows down, and attackers know it.

A Second Threat Emerged: Phishing “fix” sites

As if the compromised update wasn’t enough, researchers observed opportunistic phishing campaigns riding the panic.

BleepingComputer reported phishing domains such as fix-trustwallet[.]com, impersonating Trust Wallet branding and prompting users to enter their seed phrase under the pretense of applying a “vulnerability fix.” That’s the classic follow-up scam: “Your wallet is at risk, enter your recovery phrase to secure it.”

If you take only one lesson from this entire episode, make it this: no legitimate wallet fix will ever require you to type your seed phrase into a website.

What Users Should Do Right Now

If you used the Trust Wallet Chrome extension around the update window, the safest path is the boring one:

1. Do not open version 2.68.0.

2. Update to version 2.69 via the official Chrome extension update flow and verify the version number.

3. If you suspect exposure, move remaining funds to a brand-new wallet created with a fresh seed phrase (treat the old phrase as permanently unsafe).

4. Ignore “support” DMs, random links, and “fix” websites. The post-incident phishing wave is real.

Why Browser Wallet Supply Chains Keep Getting Targeted

This incident is a textbook reminder that “self-custody” doesn’t automatically mean “safe.” You can hold your own keys and still be exposed through:

• compromised update channels

• poisoned dependencies

• malicious or hijacked extension releases

• social engineering that’s timed to perfection

And the numbers show why attackers keep trying. Chainalysis reported over $3.4 billion stolen in 2025 (January through early December), with a major surge in personal wallet compromises: about 158,000 incidents affecting at least 80,000 unique victims, even as the total dollar value stolen from individuals declined versus 2024.

Different datasets and trackers can vary on totals depending on what they count and when they cut off, but the direction is the same: attackers are spreading out, targeting more end users, and leaning on distribution weaknesses and human panic as often as they lean on smart contract exploits.

Conclusion

A compromised Trust Wallet Chrome extension update (v2.68.0) set off a rapid wave of wallet drains after its December 24, 2025 release, with losses ultimately discussed around the $7 million mark. Trust Wallet told users to disable the affected version and move to v2.69, while CZ publicly said affected users would be reimbursed and that an investigation is underway.

Beyond the immediate loss figure, the real headline is the risk model: browser wallets are incredibly convenient, but convenience comes with an attack surface, and supply-chain style incidents can bypass the usual “don’t click shady links” advice.

Glossary

• Browser Extension Wallet: A wallet that runs inside your browser (Chrome/Brave, etc.) to manage keys and interact with dApps.

• Seed Phrase (Recovery Phrase): The master backup that can restore full access to a wallet. If someone gets it, they effectively become you.

• SAFU: Crypto slang popularized by Binance, used to signal user protection/reimbursement commitments.

• Supply-Chain Attack: When attackers compromise software distribution, build systems, or updates rather than targeting users one-by-one.

• Exfiltration: Unauthorized sending of sensitive data from a system to an external server.

FAQs

What exactly was hacked?
Reporting and company messaging indicate the issue was limited to Trust Wallet Chrome extension version 2.68.0, released on December 24, 2025, with users instructed to update to 2.69.

How much was stolen?
Public reporting and CZ’s statement put the affected amount around $7 million, while earlier estimates cited losses exceeding $6 million.

Will victims be reimbursed?
CZ said Trust Wallet will cover losses for affected users and that “User funds are SAFU.”

How did the drain happen?
Security researchers pointed to suspicious code in the compromised extension build that appeared to exfiltrate wallet data to an external domain, including activity triggered when a seed phrase is imported.

What’s the most important safety step?
Update to 2.69, and if you suspect your seed phrase was exposed, migrate assets to a new wallet with a new phrase. Also, do not fall for phishing “fix” sites asking for your recovery phrase.

References

CoinDesk

Binance

BleepingComputer

Finance Magnates

Read More: $7 Million Stolen in Trust Wallet Chrome Hack: CZ Confirms Full Compensation">$7 Million Stolen in Trust Wallet Chrome Hack: CZ Confirms Full Compensation