Trust Wallet suffered a supply-chain compromise on its Chrome extension that on December 25, led to roughly $7 million in stolen crypto from more than 600 users. The breach centered on a malicious update to extension version 2.68 that enabled exfiltration of private keys and seed phrases and resulted in sustained transfers for more than 30 hours.
The compromised Chrome extension update was pushed on December 24 and began draining funds the following day across Bitcoin (BTC), Solana (SOL), Ethereum (ETH) and other EVM-based tokens. Security researchers who analyzed the package reported that malicious JavaScript injected into the extension silently captured private keys and seed phrases when users imported or accessed wallets in the affected build.
A supply-chain exploit is an attack that corrupts a vendor-provided component to deliver malicious code to downstream users. A seed phrase is a human-readable series of words that reproduces a wallet’s private keys and grants full access to its funds.
Trust Wallet incident details
Trust Wallet warned users of version 2.68 to immediately disable the extension and upgrade to patched releases (2.69 or 2.89). Binance CEO Changpeng Zhao confirmed the $7 million figure and said the company would cover losses: “We will fully reimburse affected users through SAFU,” he said, referring to Binance’s Secure Asset Fund for Users. Zhao also flagged a “possible insider job” as part of ongoing inquiries.
Affected users were advised to move assets to a new wallet, stop using any exposed seed phrases permanently, and revoke token approvals tied to compromised addresses. Trust Wallet and affiliated teams communicated the remediation steps and pushed updates intended to close the exploited vector.
The incident underscores supply-chain risk in browser-based wallet software and the exposure that browser extensions introduce to self-custody holders. Investigations into the root cause and any internal involvement are ongoing.
