The recent compromise of the Trust Wallet Chrome extension, which led to the theft of roughly $7 million in cryptocurrency, has become a textbook example of how dangerous a modern software supply chain attack can be for the crypto ecosystem. Technical details emerging from the investigation highlight weaknesses not only in application security, but also in publishing pipelines and user protection processes.
How the malicious Trust Wallet Chrome extension was distributed
The incident centers on version 2.68 of the Trust Wallet Chrome extension, which appeared in the Chrome Web Store on 24 December 2025. After installing or updating to this version, users began reporting unexplained withdrawals of assets from their wallets to unknown addresses. Trust Wallet quickly pushed a “clean” build, version 2.69, and urged all users to upgrade immediately.
Binance founder and Trust Wallet owner Changpeng Zhao publicly acknowledged that around $7 million in funds had been stolen and pledged to fully reimburse affected users. This rapid response limited the financial impact for individuals, but the compromise itself underscores how automatic browser updates can silently deliver malicious code at scale when a vendor’s release pipeline is abused.
Technical analysis of the Trust Wallet supply chain attack
According to blockchain security firm SlowMist, the attackers did not rely on a poisoned third‑party dependency. Instead, they directly altered the extension’s source code. The injected code iterated through all wallets stored in the extension, requested the encrypted data, decrypted the seed phrases using the user’s password, and exfiltrated them to attacker‑controlled infrastructure.
For data exfiltration, the actors abused the legitimate analytics framework PostHog. While the code appeared to send telemetry, the traffic was redirected to a fake endpoint, api.metrics-trustwallet[.]com, instead of PostHog’s official servers. Reusing trusted SDKs and HTTPS endpoints is a common tactic to hide malicious traffic inside seemingly normal analytics flows and to evade basic anomaly detection.
The domain metrics-trustwallet[.]com was registered on 8 December, with the first requests observed on 21 December, several days before the malicious release. This timeline indicates a prepared infrastructure and a planned operation, rather than an opportunistic compromise.
Chrome Web Store pipeline compromise and stolen API key
Trust Wallet CEO Eowyn Chen stated that the 2.68 release never passed through the company’s standard internal CI/CD pipeline. Instead, attackers allegedly obtained a leaked Chrome Web Store API key and used it to upload a modified build directly to the store. The trojanized extension then passed Google’s review and became available to users on 24 December at 12:32 UTC.
This scenario illustrates the strategic value of technical credentials such as API keys, CI/CD tokens, and app store account access. Once compromised, these secrets effectively allow attackers to “speak as the vendor,” pushing malicious updates that inherit the trust of the original developer and are automatically installed by users.
Coordinated phishing campaign targeting Trust Wallet users
Parallel to the extension compromise, a separate phishing campaign against Trust Wallet users was launched. As reported by BleepingComputer, fake support accounts on X (Twitter) directed victims to fix-trustwallet[.]com, a phishing site mimicking the official Trust Wallet portal. The page offered to “fix a vulnerability” by installing an “updated” wallet version.
After clicking the update prompt, users were presented with a form requesting their seed phrase. Entering this phrase granted attackers complete control over the wallet and its funds. Notably, fix-trustwallet[.]com was registered with the same registrar as metrics-trustwallet[.]com, strongly suggesting both the supply chain compromise and the phishing operation were part of a coordinated campaign.
Scale of the losses and laundering of stolen crypto
Blockchain analysis indicates that attackers stole roughly $3 million in Bitcoin, about $431 in Solana (SOL), and more than $3 million in Ethereum. Security firm PeckShield reported that a large portion of the funds was quickly funneled through centralized exchanges and instant swap platforms to complicate tracing and potential freezes.
Approximately $3.3 million was routed through ChangeNOW, around $340,000 through FixedFloat, and roughly $447,000 to the exchange KuCoin. Around $2.8 million remained in addresses attributed to the attackers at the time of analysis. Splitting funds across multiple services is a common laundering technique, although many platforms now cooperate with law enforcement when alerted promptly.
Attribution, possible state links, and insider risks
SlowMist analysts do not rule out that the operation could involve state‑linked threat actors. Successfully modifying a widely used crypto wallet extension, setting up realistic infrastructure, and passing app store review suggests planning, technical sophistication, and potentially prolonged access to developer environments or internal assets.
Changpeng Zhao has also mentioned the possibility of insider involvement, though no public evidence currently confirms this theory. Historically, major crypto incidents often result from a combination of technical weaknesses, insufficient process controls around sensitive credentials, and human factors such as social engineering or insider abuse.
Key lessons for crypto users and organizations
Trust Wallet has committed to fully compensating affected users via an official support form on trustwallet-support.freshdesk.com, while warning about fake compensation forms and impersonated support accounts on Telegram and other platforms. Users are advised to interact only with channels listed on the official Trust Wallet website and verified profiles.
For organizations, this attack reinforces the need to harden the entire software supply chain: protect API keys and publishing credentials with hardware-backed security and least privilege; enforce strict CI/CD controls; implement code signing and reproducible builds; and continuously monitor for unexpected releases or permission changes in app stores.
For individual users, several principles are critical: always verify domains and official announcements before installing updates; never enter a seed phrase on any website, form, or into a browser extension; separate devices or browser profiles for large holdings; and prefer hardware wallets where possible. As long as crypto remains a high‑value target, disciplined security hygiene and healthy skepticism will remain essential to preserving digital assets.
