Trust Wallet has warned users to immediately update its Google Chrome browser extension after a security incident tied to version 2.68 resulted in about $7 million in losses, with the company confirming that only Chrome extension users were affected and that refunds are being prepared for impacted users.
Trust Wallet said the flaw was limited to version 2.68 of its multi-chain, non-custodial wallet, which serves around one million users. In a statement published on X, the company said it had confirmed that approximately $7 million had been impacted and that it is finalizing a process to refund affected users. The company said supporting affected users is its top priority and that instructions on next steps will be shared soon.
The company advised users to upgrade to version 2.69 immediately to mitigate the issue. Trust Wallet added that mobile app users and users of other browser extensions were not affected. It also urged users to avoid messages or instructions that do not come from its official communication channels.
Scope Of The Affected Product
Trust Wallet provides a non-custodial crypto wallet that allows users to store and manage digital assets across multiple blockchains through a mobile app and a Chrome extension used to interact with decentralized applications.
Malicious Code Identified In Extension
Blockchain security firm SlowMist said its analysis showed that Trust Wallet Chrome extension version 2.68 contained malicious code. According to SlowMist, the code iterated through all stored wallets and prompted users to enter their mnemonic phrases. The mnemonics, which were encrypted, were decrypted using the user’s password and then transmitted to an attacker-controlled server at api.metrics-trustwallet[.]com.
SlowMist said the domain was registered on December 8, 2025, and malicious activity began on December 21. The attackers also used the open-source posthog-js analytics library to collect wallet-related user data. Based on its findings, SlowMist researchers suggested the attack may have been carried out by an advanced persistent threat group.
Stolen Funds And Onchain Tracking
Security researchers at PeckShield reported that threat actors stole more than $6 million in cryptocurrency during the incident. PeckShield said most of the stolen funds were transferred to exchanges, while about $2.8 million remained held in attacker-controlled wallets at the time of reporting.
Parallel Phishing Campaign Targeted Users
BleepingComputer reported that attackers also ran a parallel phishing campaign during the incident, taking advantage of user concern. According to the report, fake accounts on X directed users to fix-trustwallet[.]com, a website designed to mimic Trust Wallet and claim to fix a security flaw. The site prompted users to enter their wallet recovery seed phrases, allowing attackers to drain funds.
BleepingComputer said WHOIS records showed that the fix-trustwallet[.]com domain was recently registered with the same registrar as metrics-trustwallet[.]com, suggesting a possible connection between the phishing operation and the infrastructure used in the extension compromise.
Featured image credits: creativecommons.org
For more stories like it, click the +Follow button at the top of this page to follow us.