TrustWallet is urging users to update their Google Chrome extension to the latest version following what it calls a “security incident” that resulted in approximately $7 million in losses.
The issue affects version 2.68, according to the multichain non-custodial cryptocurrency wallet service. According to the Chrome Web Store listing, the extension has around 1 million users. We recommend that users update to version 2.69 as soon as possible.
“We have confirmed that approximately $7 million has been affected and will ensure that all affected users are refunded,” Trust Wallet said in a post on X. “Supporting affected users is our top priority and we are actively finalizing refund procedures for affected users.”
Trust Wallet also urges users to refrain from interacting with messages other than those sent from official channels. Mobile-only users and all other browser extension versions are not affected.
According to details shared by SlowMist, version 2.68 introduced malicious code designed to iterate through all wallets stored in the extension and trigger a mnemonic phrase request for each wallet.
“The encrypted mnemonic will be decrypted using the password or passkeyPassword entered when unlocking the wallet,” the blockchain security firm said. “Once decrypted, the mnemonic phrase is sent to the attacker’s server api.metrics-trustwallet(.)com.”
The domain ‘metrics-trustwallet(.)com’ was registered on December 8, 2025, and the first request to ‘api.metrics-trustwallet(.)com’ was initiated on December 21, 2025.
Further analysis revealed that the attacker leveraged an open source full-chain analysis library named posthog-js to collect wallet user information.
The digital assets leaked so far include approximately $3 million in Bitcoin, $431 in Solana, and more than $3 million in Ethereum. The stolen funds were moved through centralized exchanges and cross-chain bridges for money laundering and swaps. According to the latest information shared by blockchain researcher ZachXBT, the incident resulted in hundreds of victims.
“While approximately $2.8 million of the stolen funds remained in the hackers’ wallets (Bitcoin/EVM/Solana), the majority of the cryptocurrencies, over $4 million, were transferred to CEX (centralized exchanges). Of that amount, approximately $3.3 million was transferred to ChangeNOW, approximately $340,000 was transferred to FixedFloat, and approximately $447,000 was transferred to KuCoin,” Peckshield said.
“This backdoor incident resulted from a malicious source code modification within Trust Wallet’s internal extension codebase (analytics logic), rather than an injected compromised third-party dependency (such as a malicious npm package),” SlowMist said.
“The attackers directly modified the application’s own code, leveraged the legitimate PostHog analytics library as a data extraction channel, and redirected the analytics traffic to attacker-controlled servers.”
The company said the attack could be the work of a nation-state attacker, adding that the attacker may have gained control of, or permission to deploy, Trust Wallet-related developer devices before December 8, 2025.
Changpeng Chao, co-founder of the cryptocurrency exchange Binance, which owns the utility, hinted that the exploit was “most likely” carried out by an insider, although no further evidence was provided to support this theory.
