Full Report
Trust Wallet is urging users to update its Google Chrome extension to the latest version following what it described as a "security incident" that led to the loss of approximately $7 million. The issue, the multi‑chain, non‑custodial cryptocurrency wallet service said, impacts version 2.68. The extension has about one million users, according to the Chrome Web Store listing. Users are advised to
Analysis Summary
# Incident Report: Trust Wallet Chrome Extension Malicious Code Injection
## Executive Summary
Trust Wallet confirmed a security incident impacting version 2.68 of its Google Chrome browser extension, resulting in approximately $7 million in cryptocurrency theft from users. The attackers compromised the extension's codebase to inject malicious logic that harvested user mnemonic phrases upon wallet unlock. Response actions included immediately urging users to update to version 2.69 and promising full refunds to affected users.
## Incident Details
- Discovery Date: Approximately December 26, 2025 (Based on publication date)
- Incident Date: Attack activity appears to commence around December 21, 2025, based on first malicious server requests.
- Affected Organization: Trust Wallet
- Sector: Financial Technology (Cryptocurrency Wallet Service)
- Geography: Global (Affecting Chrome extension users)
## Timeline of Events
### Initial Access
- Date/Time: Domain registration activity started on December 8, 2025. Malicious activity began around December 21, 2025.
- Vector: Malicious code modification within the official Trust Wallet extension codebase (version 2.68). This was not a third-party dependency compromise.
- Details: Attackers tampered directly with the application's internal source code, likely gaining developer device control or deployment permissions prior to December 8, 2025.
### Lateral Movement
- *Not explicitly applicable in traditional network sense; the compromise was a code deployment.* The malicious code gained access to user wallet data stored within the extension environment.
### Data Exfiltration/Impact
- Date/Time: Commencing December 21, 2025, through December 26, 2025 (at least).
- Details: The malicious code iterated through all stored wallets, triggered a mnemonic phrase request, decrypted the mnemonic using the user's unlock password/passkey, and exfiltrated the decrypted phrases to `api.metrics-trustwallet[.]com`. Approximately $7 million in BTC, ETH, and SOL was drained.
### Detection & Response
- Date/Time: Detected by security researchers (e.g., SlowMist) and Trust Wallet shortly before December 26, 2025.
- Response actions taken: Urged users to update to version 2.69 immediately; confirmed $7M impacted; promised full refunds to affected users; warned users against non-official communications.
## Attack Methodology
- Initial Access: Direct **Malicious Code Modification** within the legitimate Trust Wallet extension source code leading up to version 2.68 deployment.
- Persistence: The malicious code was embedded within a shipped, autoupdated version of the extension.
- Privilege Escalation: N/A. Access was gained to the secured wallet data upon user interaction (unlock).
- Defense Evasion: The attackers used a legitimate, open-source analytics library (`posthog-js`) not for analytics, but as a data exfiltration channel, redirecting legitimate-looking analytics traffic to an attacker-controlled server.
- Credential Access: Stored encrypted mnemonic phrases were decrypted using the user-provided password/passkey during wallet unlock.
- Discovery: N/A (Internal library used for exfiltration).
- Lateral Movement: N/A (Focus was on user victims, not internal network pivoting).
- Collection: Harvested user wallet information, specifically decrypted mnemonic phrases.
- Exfiltration: Data sent to the attacker-controlled domain `api.metrics-trustwallet[.]com`.
- Impact: Theft of digital assets ($7M). Funds laundered via centralized exchanges (CEXs) like ChangeNOW, FixedFloat, and KuCoin.
## Impact Assessment
- Financial: Approximately **$7 million** stolen ($3M BTC, ~$3M ETH, $431 SOL). Trust Wallet committed to refunding all affected users.
- Data Breach: Decrypted mnemonic phrases and associated wallet passwords/passkeys for hundreds of victims.
- Operational: Loss of user trust, mandatory hotfix deployment (v2.69).
- Reputational: Significant negative publicity for the non-custodial wallet service.
## Indicators of Compromise
- Network Indicators (Defanged):
- Attacker C2 Domain: `api.metrics-trustwallet[.]com` (Registered Dec 8, 2025)
- File Indicators: Malicious logic embedded in Trust Wallet Chrome extension **Version 2.68**.
- Behavioral Indicators: Triggering of mnemonic phrase requests upon wallet unlock combined with data transmission to the malicious domain via the PostHog library.
## Response Actions
- **Containment Measures:** Immediately released updated version **2.69** of the Chrome extension and urged all users to update immediately. Instructed users to cease interaction with version 2.68.
- **Eradication Steps:** Removal of the malicious code segment and deployment of the clean version.
- **Recovery Actions:** Initiated process to refund all impacted users (Total committed refund: ~$7 million).
## Lessons Learned
- Trust is built on verification: Direct modification of internal codebase deployment pipelines can bypass standard third-party dependency scanning for software supply chain integrity.
- Infrastructure hygiene: The attacker registered the command-and-control domain several weeks before initiating active exfiltration, suggesting potential reconnaissance or staging.
- Insider Threat Potential: Co-founder suggested the exploit was "most likely" carried out by an insider, highlighting potential internal trust boundaries that need review.
## Recommendations
- Implement rigorous code signing verification and integrity checks across all stages of the CI/CD pipeline, focusing specifically on code deployed directly to production builds, differentiating from dependency updates.
- Enhance monitoring around legitimate libraries (like `posthog-js`) to detect deviations in network traffic destinations or usage patterns that suggest misuse for exfiltration.
- Conduct immediate, comprehensive internal security audits of developer workstations and deployment access controls, especially given the potential for an insider threat vector.
- Review post-mortem processes to ensure rapid tracing of stolen funds, specifically hardening interactions with CEXs used for laundering.