In a stark reminder of the vulnerabilities inherent in cryptocurrency infrastructure, Trust Wallet - one of the world's leading non-custodial crypto wallets with over 220 million users - fell victim to a devastating hack on December 25, 2025.
Hackers exploited a supply chain attack to inject malicious code into the official Chrome browser extension, leading to the theft of approximately $7 million in digital assets. This incident, occurring during the holiday season, affected hundreds of users and highlighted the growing risks associated with browser-based wallet extensions.
The Mechanics of the Attack
The breach was a classic example of a supply chain attack, where adversaries compromise a trusted software distribution channel to deliver malware directly to end-users.
In this case, attackers targeted version 2.68 of Trust Wallet's Chrome extension, which was released on December 24, 2025. Embedded within the update was a Trojan horse JavaScript file named 4482.js, cleverly disguised as legitimate analytics code from PostHog - a popular open-source tool for user behavior tracking.
This malicious script operated stealthily: upon users importing their recovery seed phrases into the extension, it intercepted the sensitive data and transmitted it to a fraudulent domain, api.metrics-trustwallet.com.
This domain, registered just days before the exploit, mimicked Trust Wallet's official metrics endpoint to evade detection.
Once in possession of the seed phrases, the hackers could access and drain wallets without further user interaction, often within minutes. The attack did not require phishing or suspicious transaction approvals, making it particularly insidious.
Security firm SlowMist conducted a detailed analysis by comparing the compromised version 2.68 with the subsequent patched version 2.69. Their findings revealed that the hackers had implanted code posing as data collection routines, effectively turning the extension into a backdoor for stealing private keys.
SlowMist's Chief Information Security Officer, known as 23pds, suggested that the breach might stem from compromised developer devices or code repositories, pointing to potential insider access or advanced social engineering.
Timeline of the Incident
The attack was meticulously planned over weeks:
- December 8, 2025: Evidence suggests preparations began, including domain registration and code infiltration.
- December 22, 2025: The infected version 2.68 was uploaded to the Chrome Web Store.
- December 24, 2025: The update was officially released, exposing users who auto-updated or installed it.
- December 25, 2025: During Christmas celebrations, hackers initiated mass fund drains, with reports of unauthorized transactions flooding social media and crypto communities.
Cryptocurrency investigator ZachXBT was among the first to flag suspicious outflows, linking them to the recent extension update. By December 26, losses had escalated, prompting an urgent response from Trust Wallet.
Impact on Users and Stolen Assets
The hack primarily targeted users of Bitcoin (BTC), Ethereum (ETH), Solana (SOL), and other EVM-compatible networks. Blockchain analytics firm PeckShield estimated total losses exceeding $6 million, with initial reports pegging the figure at $2.8 million before further analysis revealed the full scope nearing $7 million.
Of the stolen funds, about $2.8 million reportedly remains in hacker-controlled wallets, while over $4 million has been laundered through centralized exchanges: approximately $3.3 million via ChangeNOW, $447,000 on KuCoin, and $340,000 on FixedFloat.
Tragically, individual losses were severe - one user reported losing $700,000 in mere minutes after importing their seed phrase. Hundreds of wallets experienced sudden drains, often without any prior warning signs.
Official Responses and Mitigation
Trust Wallet swiftly acknowledged the breach, emphasizing that only the Chrome extension was affected - mobile apps and other platforms remained secure. They released a patched version 2.69 and advised users to immediately disable the old extension, update, and transfer assets to new wallets if compromised.
The company is investigating how the malicious update bypassed Chrome Web Store reviews, with speculation of insider involvement echoed by Binance founder Changpeng Zhao (CZ).
CZ, who acquired Trust Wallet in 2018, publicly confirmed the $7 million loss on December 26 and assured victims that all funds would be fully reimbursed using Binance's Secure Asset Fund for Users (SAFU). He hinted at possible internal foul play, stating the incident might involve "insider role" and underscoring the need for enhanced developer security protocols.
SlowMist urged affected users to disconnect from the internet, isolate devices, and conduct thorough scans, while warning of broader risks in developer environments.
Broader Implications and Lessons for the Crypto Community
This breach is part of a alarming 2025 trend in crypto supply chain attacks, which have collectively resulted in $3.3 billion in stolen assets.
North Korean state-sponsored groups, responsible for over $1.5 billion in thefts this year, often exploit similar vulnerabilities through phishing or open-source compromises.
The Trust Wallet incident mirrors past events like the ByBit breach, underscoring how browser extensions—with their extensive permissions—serve as prime targets.
For users, the key takeaways are clear: Avoid importing seed phrases into browser extensions, enable two-factor authentication where possible, and verify updates manually.
Institutions are increasingly adopting AI-driven risk assessments (used by 60% of firms) and favoring audited, open-source hardware wallets to mitigate such threats.
As crypto adoption grows, so does the imperative for robust supply chain integrity - even "official" updates can no longer be blindly trusted.
Also read:
- The Evolving Landscape of International Trade: Challenges and Implications for Developing Economies
- Wall Street's Precarious Path: Navigating 2026 Amid AI Overdrive and Economic Tightropes
- 5 Reasons to Implement a White Label Website Builder for Hosting Providers
Author: Slava Vasipenok
Founder and CEO of QUASA (quasa.io) - Daily insights on Web3, AI, Crypto, and Freelance. Stay updated on finance, technology trends, and creator tools - with sources and real value.
Innovative entrepreneur with over 20 years of experience in IT, fintech, and blockchain. Specializes in decentralized solutions for freelancing, helping to overcome the barriers of traditional finance, especially in developing regions.
This is not financial or investment advice. Always do your own research (DYOR).
