Trust Wallet says 2,596 wallets drained in $7 million crypto theft attack
Monday, December 29, 2025
What
On December 24, 2025, attackers compromised Trust Wallet's Chrome browser extension, specifically version 2.68.0, leading to the theft of approximately $7 million from 2,596 identified cryptocurrency wallet addresses. The attackers injected a malicious JavaScript file into the extension, which then exfiltrated sensitive wallet data. This compromise is believed to have occurred due to a leaked Chrome Web Store API key, allowing the malicious version to bypass standard release checks and be published. Trust Wallet has initiated a reimbursement process for affected users and is actively combating subsequent phishing campaigns leveraging the incident.
Where
The incident primarily affected users of the Trust Wallet Chrome browser extension globally. Trust Wallet, a cryptocurrency wallet application, is used by over 200 million people and was acquired by Binance, one of the world's largest cryptocurrency exchanges.
When
The initial compromise occurred on December 24, 2025, at 12:32 UTC, when the malicious extension version 2.68.0 was released. Trust Wallet confirmed the hack and advised users to update shortly after BleepingComputer's inquiry, with further details and reimbursement plans revealed by December 29, 2025.
Key Factors
- •The attack vector was a compromised Chrome Web Store API key, which allowed attackers to publish a malicious version (v2.68.0) of the Trust Wallet extension, bypassing internal security checks and injecting malicious JavaScript for data exfiltration.
- •Following the initial theft, attackers launched a phishing campaign using a fake Trust Wallet-branded website, fix-trustwallet[.]com, to exploit user panic and trick them into revealing their wallet recovery seed phrases under the guise of security updates.
- •Trust Wallet responded by expiring all release APIs for two weeks and successfully reporting the malicious exfiltration domain to its registrar, NiceNIC, leading to its suspension to prevent further data theft.
- •The company has identified 2,596 affected wallet addresses from which cryptocurrency was stolen and is implementing a careful verification process for reimbursement claims due to a significant number of false or duplicate submissions.
Takeaways
- →Users of cryptocurrency browser extensions should always verify the authenticity of updates and be extremely cautious of unsolicited requests for seed phrases or private keys, even from seemingly official sources.
- →This incident highlights the critical importance of securing API keys and implementing robust multi-factor authentication and release process controls for software distribution platforms, especially for applications handling sensitive financial assets.
- →Users affected by such incidents should only use official communication channels provided by the service provider for support and reimbursement claims, and be vigilant against impersonation scams and phishing attempts.
Opens original article on BleepingComputer
