Cyber Incident Victim: Trust Wallet
Date:
Dec 2025
Location:
United States of America
Summary
Trust Wallet confirmed a security incident affecting its browser extension version 2.68 after a malicious update was published via a leaked Chrome Web Store API key, resulting in approximately $7 million in cryptocurrency theft. The compromise impacted only users who opened and logged into the extension before a specific cutoff time, leaving mobile app users, other extension versions, and later v2.68 users unaffected. The company reported the malicious domain to its registrar, expired release APIs to block further updates, and began collecting victim tickets for reimbursement while promoting the secure version 2.69.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 25, 2025, Trust Wallet announced via its X account that it had identified a security incident affecting Trust Wallet Browser Extension version 2.68, noting that the compromise was not a vulnerability in the Chrome browser itself but rather the result of a malicious version of the extension being published through the Chrome Web Store. The company stated that the malicious extension v2.68 was not released through its internal manual process and that its current findings suggest it was most likely published externally using a leaked Chrome Web Store API key, which allowed the attacker to bypass Trust Wallet’s standard release checks. According to Trust Wallet’s timeline, the malicious version was made available on the Chrome Web Store on December 24, 2025 at 12:32 UTC and remained active until it was detected and removed. The incident was limited to users who opened the extension and logged in while running version 2.68 before December 26, 2025 at 1100 UTC, with no impact on mobile app users, other extension versions, or users who accessed the extension after that cutoff.

In a follow‑up post on December 26, Binance founder Changpeng Zhao confirmed that the Trust Wallet security team was still investigating how the malicious version had been submitted and reported that approximately $7 million in cryptocurrency had been affected by the incident at that stage of the investigation. Zhao emphasized that user funds were covered by the Binance Secure Asset Fund for Users and that Trust Wallet would reimburse any losses, directing users to a separate X post for details on the compensation process. In response to the compromise, Trust Wallet reported the malicious domain associated with the extension to the registrar NiceNIC, which subsequently suspended the domain to prevent further communication with the attacker’s server. The company also expired all of its release APIs for a two‑week window to block any new extension releases while it conducted internal forensic analysis and awaited additional logs from Google’s support team to determine the root cause.
Trust Wallet advised affected users to refrain from opening the browser extension on desktop devices, to navigate to the Chrome Extensions panel, toggle the Trust Wallet extension off, enable developer mode, press the update button, and verify that the extension displayed version 2.69, which the company identified as the secure release containing the necessary fixes. The malicious code embedded in the compromised version 2.68 was designed to operate silently, masquerading as analytics while actually transmitting wallet data to an external domain and triggering specifically when a user imported a seed phrase. As a result of the incident, Trust Wallet began collecting victim tickets and processing reimbursements, noting that some aspects of the compensation workflow were still being finalized while the investigation continued.
