Trust Wallet Browser Extension Compromise Drains About $7 Million in Crypto

Anatomy of the Exploit

The exploit zeroed in on version 2.68 of Trust Wallet’s browser extension, released just before the holiday. Security researchers later uncovered how the code, masquerading as an analytics tool, activated when users imported recovery phrases or unlocked their wallets.

It decrypted sensitive data using the user’s passkey and funneled it to a rogue domain, metrics-trustwallet.com, registered on December 8. From there, attackers reconstructed wallets and siphoned funds without further interaction, a silent raid that struck across chains like BNB Smart Chain and Ethereum Virtual Machine layers.

One victim, a long-time crypto participant, described losing $300,000 in mere minutes, underscoring the speed and stealth of the attack.

By December 26, on-chain analysts like ZachXBT had pieced together the scale: over 600 addresses compromised, with funds flowing to exchanges and bridges for laundering. Roughly $4.2 million moved through services such as ChangeNOW, FixedFloat, KuCoin, and HTX, while $2.8 million lingered in the hackers’ wallets across Bitcoin, Ethereum, and Solana networks.

The breach didn’t touch mobile app users or other extension versions, limiting the damage but raising questions about how a corrupted build evaded Google’s Chrome Web Store vetting. Trust Wallet, acquired by Binance in 2018, serves over 220 million accounts, though active users likely number far fewer given multiple wallet creations per person.

Changpeng Zhao, co-founder of Binance and owner of Trust Wallet, addressed the chaos directly on social media.

“So far, $7 million affected by this hack“, he posted on December 26. “Trust Wallet will cover. User funds are SAFU.” The acronym, Binance’s Secure Asset Fund for Users, signals a commitment to reimburse victims fully, drawing from reserves built for such crises.

The team swiftly rolled out version 2.69, patching the flaw and urging immediate upgrades. Instructions flooded official channels: disable the old extension, update via the

Web Store, and monitor accounts for anomalies. Zhao added that investigations continue into how attackers infiltrated the submission process, hinting at potential insider involvement or a supply-chain compromise.

Broader Implications for Crypto Security

The Trust Wallet incident highlights the persistent vulnerability of browser-based extensions in the crypto ecosystem. Browser extensions, unlike independent applications or hardware wallets, reside in a web browser with broad access to on-chain operations and private key material.

A single supply chain compromise at the development or deployment level can expose private keys or seed phrases en masse, as this case illustrates.

Industry observers have noted that such supply chain attacks are increasingly attractive to malicious actors because they offer the ability to compromise many users through a single update rather than targeting individual wallets.

This risk profile extends beyond Trust Wallet and resonates with past incidents involving other browser extensions for crypto management.

What Users Need to Do Now

For affected users, immediate steps include disabling the vulnerable extension, upgrading to the secure version 2.69 if they must continue using a browser wallet, and transferring remaining assets to new wallet addresses with freshly generated seed phrases.

Even with reimbursement, many security professionals recommend caution in reusing potentially compromised keys or addresses.

Security analysts also caution wallet holders to restrict use of browser extensions for significant holdings and to consider hardware or mobile wallets with documented security practices for long-term storage. This incident further points out that convenience often entails a higher risk in self-custody environments.

As investigations continue, Trust Wallet and Binance have pledged to deepen their review of internal systems and deployment pipelines to prevent a recurrence. The broader crypto community is watching closely, recognizing that this breach serves as a sobering reminder of the fragile boundary between software convenience and digital asset security.