Trust Wallet users lost almost $7 million shortly after the company introduced an updated version of its Chrome plugin. Changpeng Zhao, a co-founder of Binance, the cryptocurrency exchange that owns the utility, said the stolen funds would be returned.
The wallet team acknowledged the hack, which was first reported on December 25 by on-chain detective ZachXBT.
Trust Wallet is asking users to update its Google Chrome extension to the most recent version following a “security incident” that resulted in a loss of nearly $7 million.
The non-custodial cryptocurrency wallet service reported an issue with version 2.68. The extension has approximately one million users, according to the Chrome Web Store listing. Users should update to version 2.69 as soon as possible.
“We’ve confirmed that approximately $7M has been impacted, and we will ensure that all affected users are refunded,” Trust Wallet stated in a post on X. “Supporting affected users is our top priority, and we are actively finalising the process to refund the impacted users.”
Trust Wallet further advises customers to avoid interacting with any messages that do not originate from its official channels. Mobile-only users and all other browser extension versions are unaffected.
Trust Wallet stated that the vulnerability was limited to the Chrome browser extension and did not affect its mobile apps or the underlying blockchains themselves. A corrected version, 2.69, was issued soon after the problem was discovered.
According to SlowMist, version 2.68 included malicious code that was designed to run through all wallets stored in the extension and request a mnemonic phrase for each one.
“The encrypted mnemonic is then decrypted using the password or passkeyPassword entered during wallet unlock,” the blockchain security company stated. “Once decrypted, the mnemonic phrase is sent to the attacker’s server api.metrics-trustwallet[.]com.”
The domain “metrics-trustwallet[.]com” was registered on December 8, 2025, and the first request to “api.metrics-trustwallet[.]com” took place on December 21, 2025.
The attacker used posthog-js, an open-source full-chain analytics tool, to gather wallet user information.
The digital assets drained thus far include approximately $3 million in Bitcoin, $431 in Solana, and more than $3 million in Ethereum. The stolen cash was transferred through centralised exchanges and cross-chain bridges for laundering and swapping. According to a report released by blockchain investigator ZachXBT, hundreds of people fell victim to the incident.
“While ~$2.8 million of the stolen funds remain in the hacker’s wallets (Bitcoin/ EVM/ Solana), the bulk – >$4M in cryptos – has been sent to CEXs [centralised exchanges]: ~$3.3 million to ChangeNOW, ~$340,000 to FixedFloat, and ~$447,000 to KuCoin,” disclosed PeckShield.
“This backdoor incident originated from malicious source code modification within the internal Trust Wallet extension codebase (analytics logic), rather than an injected compromised third‑party dependency (e.g., malicious npm package),” according to SlowMist.
