Trust Wallet Browser Extension Compromised: Supply Chain Attack Drains Wallets on Christmas Eve
OFFICIAL UPDATE: Trust Wallet has confirmed the security incident affects Browser Extension version 2.68 only. Users should upgrade to version 2.69 immediately. Mobile app users are NOT affected.
We've identified a security incident affecting Trust Wallet Browser Extension version 2.68 only. Users with Browser Extension 2.68 should disable and upgrade to 2.69.
— Trust Wallet (@TrustWallet) December 25, 2025
Please refer to the official Chrome Webstore link here: https://t.co/V3vMq31TKb
Please note: Mobile-only users…
On Christmas Eve 2025, while most people were celebrating the holidays, attackers launched a supply chain attack against Trust Wallet's browser extension. Version 2.68 contained malicious code that silently exfiltrates seed phrases to an attacker-controlled server—draining wallets in real-time.
Multiple security researchers and the crypto community raised alarms on X (Twitter), with prominent blockchain investigator ZachXBT warning users to move their funds immediately. Trust Wallet has since confirmed the incident and released a patched version 2.69.
What Happened: The Technical Breakdown
Security researchers analyzing the Trust Wallet browser extension's December 24 update discovered hidden malicious code in the file 4482.js. The code was designed to look like legitimate analytics tracking—but it does something far more sinister.
The Malicious Code
The injected code masquerades as a PostHog analytics integration, but instead of sending data to PostHog's legitimate servers, it sends wallet data to a fake domain:
Key indicators of the malicious code:
- Fake domain:
api.metrics-trustwallet.com— designed to look legitimate but registered just days ago - PostHog-style wrapper: Uses
C.Ay.init()andC.Ay.register()to mimic real analytics - Autocapture enabled:
autocapture: !1andcapture_pageview: !1to track all user actions - Persistence: Uses
localStorageto maintain tracking across sessions - Trigger condition: Activates specifically when a seed phrase is imported
The Attack Timeline
| Date | Event |
|---|---|
| ~Dec 20-22, 2025 | Malicious domain metrics-trustwallet.com registered |
| Dec 24, 2025 | Compromised Trust Wallet extension update pushed |
| Dec 25-26, 2025 | Users report wallets being drained in real-time |
| Dec 26, 2025 | Security researchers expose the malicious code |
| Dec 26, 2025 | Malicious domain taken down (now unreachable) |
What is a Supply Chain Attack?
A supply chain attack is when hackers compromise a trusted software vendor or their distribution channel, rather than attacking end users directly. Instead of targeting millions of individual users, attackers inject malicious code into a legitimate software update—turning the vendor's own distribution system into a weapon.
This is the same type of attack used in:
- SolarWinds (2020) — Russian hackers compromised 18,000+ organizations including US government agencies
- Codecov (2021) — CI/CD tool compromised, exposing secrets from thousands of companies
- 3CX (2023) — VoIP software supply chain attack affected millions of users
Supply chain attacks are particularly devastating because users trust the software they're updating. You're not downloading from a shady website—you're updating through the official Chrome Web Store or Firefox Add-ons.
Key insight: Browser extensions are high-value targets for supply chain attacks. They have deep access to your browsing data, can modify web pages, and users rarely audit updates. A single compromised extension can steal credentials from millions of users.
What You Should Do Right Now
If You Use Trust Wallet Browser Extension
- STOP using the browser extension immediately
- Do NOT import any seed phrases into the extension
- Move your funds to a different wallet (hardware wallet preferred)
- Create new wallets with fresh seed phrases on a clean device
- Transfer all assets to the new wallets
- Consider the old seed phrases compromised — do not reuse them
If You Recently Imported a Seed Phrase
If you imported a seed phrase into the Trust Wallet browser extension after December 24:
Your funds are at immediate risk. Transfer everything to a new wallet NOW. Do not wait for official confirmation. By the time you read this, your wallet may already be compromised.
- Immediately transfer all tokens and NFTs to a secure wallet
- Revoke all token approvals using revoke.cash
- Check for unauthorized transactions in your wallet history
- Never use the compromised seed phrase again
Recommended Alternative Wallets
While the situation is being resolved, consider these alternatives:
| Wallet | Type | Security Level |
|---|---|---|
| Ledger / Trezor | Hardware wallet | Highest (air-gapped) |
| MetaMask | Browser extension | Good (established track record) |
| Rabby Wallet | Browser extension | Good (security-focused features) |
| Trust Wallet Mobile | Mobile app | Unaffected by this attack (different codebase) |
Note: The Trust Wallet mobile app appears to be unaffected by this attack. The compromise is specific to the browser extension. However, if you shared seed phrases between the mobile app and extension, assume those seed phrases are compromised.
Community Response
The crypto security community has mobilized quickly to warn users:
"Trust Wallet browser extension compromised through a supply chain attack. Important warning from @zachxbt on wallet drains potentially impacting Trust Wallet users. No root cause identified, but probably a good idea to move funds at least temporarily if you rely on this wallet."
Security researcher @0xakinator provided technical analysis:
"In the Trust Wallet browser extension code 4482.js, a recent update added hidden code that silently sends wallet data outside. It pretends to be analytics, but it tracks wallet activity and triggers when a seed phrase is imported. The data was sent to metrics-trustwallet[.]com — a domain registered days ago and now down."
Lessons for Browser Extension Security
This attack highlights critical vulnerabilities in the browser extension ecosystem:
1. Extensions Are High-Value Targets
Crypto wallet extensions are particularly valuable targets because they handle private keys and seed phrases—the literal keys to users' money. A single compromised update can steal millions.
2. Automatic Updates Are a Double-Edged Sword
Browser extensions update automatically through the Chrome Web Store and Firefox Add-ons. This is convenient for users but means a malicious update can be pushed to millions of users before anyone notices.
3. Code Review Is Essential
The malicious code was disguised as analytics—something most users would never notice. Only through careful code analysis did security researchers identify the threat.
4. Trust Is Fragile
Trust Wallet has over 220 million users who trusted the brand. One compromised update destroyed that trust instantly. In crypto, security failures are catastrophic and irreversible.
Best Practice: Consider using a hardware wallet (Ledger, Trezor) for significant crypto holdings. Hardware wallets keep your private keys offline, making them immune to browser extension attacks.
Frequently Asked Questions
Is the Trust Wallet mobile app affected?
Based on current information, the mobile app is NOT affected. The attack is specific to the browser extension. However, if you used the same seed phrase for both, that seed phrase should be considered compromised.
How do I know if I'm affected?
If you used the Trust Wallet browser extension after December 24, 2025—especially if you imported a seed phrase—you may be affected. Check your wallet for unauthorized transactions. If in doubt, move your funds immediately.
Will I get my stolen funds back?
Unfortunately, cryptocurrency transactions are irreversible. Stolen funds cannot be recovered unless the attacker is identified and law enforcement intervenes (which is rare). Prevention is the only protection.
Has Trust Wallet responded officially?
As of publication, Trust Wallet has not issued an official statement about the compromise. We will update this article when they respond. Monitor their official X (Twitter) account for updates.
How can I protect myself from future attacks?
- Use a hardware wallet for significant holdings
- Never store seed phrases digitally (use paper backup in a safe)
- Disable automatic extension updates and review changes before updating
- Use multiple wallets to limit exposure
- Follow security researchers like @zachxbt for early warnings
Conclusion
The Trust Wallet browser extension supply chain attack is a stark reminder that even trusted software can be weaponized. On Christmas Eve, attackers injected malicious code into a routine update, turning one of the world's most popular crypto wallets into a tool for theft.
If you use the Trust Wallet browser extension:
- Stop using it immediately
- Move your funds to a secure wallet
- Create new wallets with fresh seed phrases
- Consider switching to a hardware wallet
This attack follows a disturbing pattern in 2025: the LastPass breach continues to drain wallets, the Honey extension scandal exposed how browser extensions can exploit users, and now Trust Wallet shows how supply chain attacks can compromise even legitimate security tools.
Your crypto is only as safe as your weakest link. In this case, that link was a browser extension update that users trusted implicitly. Learn from this incident—and protect yourself before the next attack.
Stay Informed: Follow our blog for security updates and check myip.foo to verify your connection is secure. For browser extension safety tips, read our guide: 10 Browser Extensions That Protect Your Privacy in 2025.
Stay vigilant. Verify everything. Trust nothing blindly.
Update policy: This article will be updated as new information becomes available. Last updated: December 26, 2025.