Trust Wallet Chrome Extension Compromised Leading to Multi-Million Dollar Cryptocurrency Theft
A compromised update to the Trust Wallet Chrome extension, version 2.68.0 released on December 24, resulted in the theft of over $7 million in cryptocurrency from hundreds of users. Attackers injected malicious JavaScript code, disguised as analytics, which activated when users imported their seed phrases, exfiltrating sensitive wallet data to a domain mimicking Trust Wallet's infrastructure. The attack was first flagged by blockchain investigators and security researchers, who noted that only desktop extension users were affected, while the mobile app remained secure. Trust Wallet responded by releasing an urgent warning and a subsequent extension update, while security firms highlighted the likely supply-chain nature of the compromise.
In parallel to the direct compromise, threat actors launched phishing campaigns using domains such as fix-trustwallet.com, luring affected users with promises of a vulnerability fix but instead further draining their wallets. The incident underscores the risks of supply-chain attacks on browser extensions and the sophistication of attackers, who combined technical compromise with social engineering to maximize their haul. Security analysts and blockchain investigators continue to monitor the situation, advising users to avoid the Chrome extension until further notice and to remain vigilant against related phishing attempts.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Estimated losses are revised upward to $8.5 million
Subsequent reporting said the Trust Wallet compromise stole about $8.5 million from more than 2,500 wallets. The updated assessment accompanied stronger attribution to the Shai-Hulud campaign and ongoing remediation measures.
Trust Wallet links theft to Shai-Hulud supply-chain compromise
In early January, Trust Wallet said the incident was tied to the broader Shai-Hulud npm supply-chain attack. It reported that leaked developer GitHub secrets and a Chrome Web Store API key enabled attackers to bypass release controls and publish the malicious extension.
Trust Wallet says 2,596 wallets were drained
By December 29, Trust Wallet said the attack had drained 2,596 wallets and stolen roughly $7 million in cryptocurrency. The company said it had begun reimbursing affected users while verifying claims to prevent fraud.
Trust Wallet and Binance pledge reimbursement for victims
Following public confirmation of the breach, Trust Wallet said it would refund affected users, and Binance founder Changpeng Zhao said impacted funds would be covered. The company also warned users to move assets to new wallets with fresh seed phrases.
Researchers verify malicious code and exfiltration behavior
Independent researchers including Akinator and Andrew Mohawk confirmed the presence of the malicious code and its data theft function. Additional analysis said the backdoor was inserted into Trust Wallet's own codebase rather than a third-party dependency.
Trust Wallet confirms incident and urges upgrade to v2.69
Trust Wallet publicly confirmed that only Chrome extension version 2.68.0 was compromised and advised users to update immediately to version 2.69. It also said mobile users and other extension versions were not affected.
Trust Wallet discovers attack and rolls back the extension
After the attack was discovered on December 25, Trust Wallet rolled back to a clean version and began emergency response actions. The company later said it expired release APIs and reported the exfiltration domain to the registrar, which suspended it.
Parallel phishing campaign targets Trust Wallet users
At the same time as the malicious update, threat actors launched phishing activity using fake Trust Wallet-branded sites and social media accounts. The campaign tricked users into entering recovery phrases under the pretense of a security fix.
Users begin losing funds in Trust Wallet extension compromise
After installing or using version 2.68.0, affected users had wallet data stolen and their cryptocurrency drained. Early reporting put losses above $6 million, later rising to about $7 million, with only the Chrome extension affected.
Malicious Trust Wallet Chrome extension v2.68.0 is released
On December 24, a trojanized Trust Wallet Chrome extension update, version 2.68.0, was published to the Chrome Web Store. The update contained obfuscated JavaScript that exfiltrated wallet seed phrases or mnemonic data to attacker-controlled infrastructure.
Attackers register infrastructure for Trust Wallet campaign
Days before the compromise was discovered, attackers registered domains including metrics-trustwallet[.]com and lookalike phishing sites such as fix-trustwallet[.]com. Multiple reports said the domains used the same registrar, indicating a coordinated operation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Trust Wallet links $8.5 million crypto theft to Shai-Hulud NPM attack
bleepingcomputer.com
Open sourceTrust Wallet confirms second Shai-Hulud supply-chain attack, $8.5M in crypto stolen
securityaffairs.com
Open sourceThe Christmas Drain: How a Backdoor in Trust Wallet v2.68 Stole $7M
securityonline.info
Open sourceTrust Wallet says 2,596 wallets drained in $7 million crypto theft attack
bleepingcomputer.com
Open sourceTrust Wallet Chrome extension hack tied to millions in losses
bleepingcomputer.com
Open sourceTrustWallet Chrome Extension Hacked – Users Reporting Millions in Losses
cybersecuritynews.com
Open sourceTrust Wallet Chrome Extension Breach Caused $7 Million Crypto Loss via Malicious Code
thehackernews.com
Open sourceTrust Wallet confirms extension hack led to $7 million crypto theft
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious Safery Chrome Extension Steals Ethereum Wallet Seed Phrases via Sui Blockchain
A malicious Chrome extension named **Safery: Ethereum Wallet** was discovered on the Chrome Web Store, masquerading as a legitimate Ethereum wallet while secretly exfiltrating users' seed phrases. The extension encodes the BIP-39 mnemonic seed phrases into synthetic Sui blockchain addresses and sends microtransactions (0.000001 SUI) from a hardcoded attacker-controlled wallet, embedding the sensitive information within normal-looking blockchain transactions. This method allows the threat actor to later decode the recipient addresses and reconstruct the original seed phrase, enabling them to drain victims' cryptocurrency assets without relying on a traditional command-and-control server. Security researchers from both Socket and Koi Security analyzed the extension, confirming its backdoor functionality and detailing its technical behavior, including the use of a hardcoded Base64 wallet seed and global exposure of sensitive wallet functions in the browser. The extension remained available for download at the time of reporting, and a takedown request was submitted to Google. Users are advised to avoid untrusted wallet extensions and defenders are recommended to scan for mnemonic encoders, synthetic address generators, and suspicious on-chain writing behaviors in browser add-ons to mitigate similar threats.
Mar 21, 2026
Cyberhaven Chrome Extension Hijacked to Deliver Credential-Stealing Update
Cyberhaven said attackers compromised its Google Chrome extension publishing process and pushed a malicious update that could steal credentials and other sensitive browser data from affected users. Reporting indicates the trojanized extension targeted logged-in sessions and authentication material, with the incident drawing attention because Cyberhaven is itself a cybersecurity company. The compromise affected the company's browser extension distributed through the Chrome Web Store, turning a trusted security tool into a delivery mechanism for data theft. Follow-up reporting and incident write-ups said the malicious version was removed and replaced after discovery, while customers were urged to identify impacted endpoints, revoke exposed credentials, rotate passwords, and review browser activity for signs of session or token theft. The case highlights a software supply-chain style attack against browser extensions, where attackers abused a vendor's update channel to distribute malware under the guise of a legitimate signed release.
May 25, 2026
FakeWallet iOS Apps in Apple App Store Stole Cryptocurrency Seed Phrases
Researchers identified a **FakeWallet** campaign that placed at least **26 malicious iOS apps** in Apple’s App Store, where they impersonated well-known cryptocurrency wallets including **MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie**. The apps primarily targeted users in **China**, taking advantage of the fact that many legitimate crypto wallet apps were unavailable in the local App Store, and used typosquatting, fake branding, and phishing flows to redirect victims to browser-based credential theft pages or trojanized wallet installers. Investigators said the operation had likely been active since at least late 2025, and Apple was notified and removed several of the identified apps. The malware used multiple techniques to steal wallet secrets from both hot-wallet and cold-wallet companion apps, including **malicious `dylib` injection**, executable hooking, provisioning profiles, and **React Native code tampering**. For hot wallets, the implants scraped mnemonic seed phrases and private keys directly from wallet interfaces; for Ledger-themed variants, the apps displayed convincing in-app prompts and fake verification pages to trick users into entering recovery phrases. Stolen data was **RSA PKCS #1-encrypted**, Base64-encoded, and sent to attacker-controlled servers, and researchers assessed the activity may be linked to the **SparkKitty** threat based on shared modules, Chinese-language artifacts, similar fake App Store-style distribution, and overlapping cryptocurrency theft objectives.
Apr 24, 2026