Meet the Top 101 in Crypto
Home / Education / Crypto / Security / How Trust Wallet Crypto Users Lost $6M+ in a Browser Extension Incident
Security
Complexity Icon Easy
6 min read

How Trust Wallet Crypto Users Lost $6M+ in a Browser Extension Incident

Published 25 December 2025
Dr. Guneet Kaur
Authors
By Dr. Guneet Kaur
Edited by Ryan James
292M Kelp DAO rsETH hack triggers Aave liquidity crisis
The $292M Kelp DAO rsETH hack triggered a major Aave liquidity crisis, freezing markets and blocking withdrawals. Here’s what really happened. | Credit: CCN.com

Key Takeaways

  • Trust Wallet users face heightened risk during browser extension security incidents.
  • Frequent updates, broad permissions, and dependency on browser environments make Trust Wallet extensions a higher-risk surface compared to cold or isolated wallets.
  • Reports suggest that importing seed phrases into the affected Trust Wallet extension version coincided with immediate unauthorized wallet drains.
  • Even with a well-known provider like Trust Wallet, users remain fully responsible for securing devices, updates, and signing environments.

On Christmas Day, a growing number of cryptocurrency users reported a serious security incident involving unauthorized wallet drains. The issue was first publicly flagged by on-chain investigator ZachXBT, who issued a community alert after receiving multiple independent reports from affected users. 

Within hours, the warning spread across Telegram and X, raising alarms throughout the self-custody community.

What initially appeared to be isolated cases quickly escalated into a broader investigation involving multiple blockchains, suspected supply-chain compromise indicators, and millions of dollars in losses.

While details continue to emerge, the incident has renewed scrutiny around browser-based wallets, extension security, and the risks associated with importing seed phrases into hot wallets.

Reports of Unauthorized Wallet Drains on Christmas Day

According to ZachXBT, numerous users of Trust Wallet reported that funds were drained from their wallet addresses within a short time window.

The reports spanned multiple blockchains, including EVM-compatible networks, Bitcoin, and Solana, suggesting the issue was not confined to a single chain or isolated smart contract interaction.

ZachXBT shared lists of wallet addresses believed to be associated with the thefts and later provided an update stating that hundreds of victims may have been affected. 

Based on initial address tracking and on-chain flows, losses were estimated to exceed $6 million, though these figures remain preliminary and subject to further verification as more victims come forward.

Suspicious Timing Following a Browser Extension Update

Crucially, ZachXBT emphasized that while the exact root cause was initially undetermined, the reports coincided closely with a recent update to the Trust Wallet Chrome browser extension, released on December 24. This temporal proximity raised concerns about a potential extension-level issue, though timing alone does not establish causation.

At the time, no immediate official security advisory had been issued, leading to heightened speculation within the community. As is often the case during active investigations, the lack of early confirmation contributed to uncertainty and misinformation.

What Security Researchers Observed in the Trust Wallet Extension Code

Independent security researchers and community members later began examining the Trust Wallet browser extension update more closely. According to multiple publicly shared analyses, a JavaScript file within the extension (identified as 4482.js) appeared to include newly added code that was not clearly documented in release notes.

Researchers alleged that:

  • The code presented itself as analytics-related functionality
  • It was capable of monitoring wallet activity
  • It appeared to activate when a seed phrase was imported into the extension
  • Data was allegedly transmitted to a domain identified as metrics-trustwallet[.]com

Community researchers further noted that the referenced domain had been registered only days earlier and later became inaccessible.

These findings led some researchers to raise the possibility of a supply-chain style compromise, though it is important to stress that these conclusions were based on third-party analysis and not an official audit at the time.

Why Importing a Seed Phrase Can Introduce Critical Risk

Several users publicly stated that wallets were drained almost immediately after importing a seed phrase into the Trust Wallet browser extension. One widely circulated post on X claimed losing $700k.

While individual user reports cannot be independently verified in isolation, the consistency of these accounts, combined with on-chain evidence of rapid fund movement, strengthened concerns that the act of importing seed phrases into the affected extension version may have exposed users to immediate risk.

Trust Wallet’s Official Response and Version-Specific Impact

Following the growing reports, Trust Wallet issued an official statement acknowledging a security incident affecting Trust Wallet Browser Extension version 2.68 only.

According to the company:

  • The issue was limited to browser extension version 2.68
  • Users were advised to disable the extension immediately
  • An updated version (2.69) was released as a fix
  • Mobile-only users were not impacted
  • Other browser extension versions were not affected

Trust Wallet stated that its team was actively investigating the issue and would continue providing updates. The company directed users to download the updated extension only through the official Chrome Web Store listing.

How Self-Custody Wallets Can Be Compromised Without a Protocol Hack

This incident underscores a critical reality in cryptocurrency security: self-custody failures do not always require breaking cryptography or blockchain protocols.

In many cases, losses result from:

  • Compromised signing environments
  • Malicious or compromised browser extensions
  • Supply-chain attacks targeting updates
  • Social engineering combined with technical access
  • Seed phrase exposure during wallet import

Even when a wallet’s core cryptography remains secure, compromising the environment in which keys are handled can be sufficient to drain funds.

Why Browser-Based Wallet Extensions Are a Common Attack Vector

Browser-based wallets are particularly attractive targets for attackers due to:

  • Broad permissions within the browser environment
  • Frequent updates and third-party dependencies
  • User behavior that prioritizes convenience over verification
  • The irreversible nature of signed transactions

This does not mean browser wallets are inherently unsafe, but it does mean they demand higher operational security and user awareness.

CZ Responds to Trust Wallet Incident, Says User Funds Remain Safe

CZ stated that approximately $7 million has been impacted so far and confirmed that Trust Wallet plans to cover the losses, emphasizing that user funds remain protected.

He added that the team is continuing to investigate how attackers were able to submit and distribute a compromised version of the software, indicating a potential breach in the update or release process.

Security Tips for Affected and At-Risk Crypto Users

Based on currently available information, security researchers and investigators have advised users to:

  • Stop using the Trust Wallet browser extension until fully updated
  • Never import seed phrases into a browser extension unless absolutely necessary
  • Move remaining funds to a fresh wallet created on a secure device
  • Avoid installing unnecessary browser extensions
  • Ignore unsolicited recovery or support messages
  • Verify all wallet software through official sources only

Additionally, you should disconnect affected machines from the internet if funds remain at risk, as a precautionary measure.

What the Trust Wallet Incident Reveals About Self-Custody Responsibility

While investigations are ongoing, the Trust Wallet incident serves as a stark reminder that self-custody shifts responsibility entirely onto the user and their environment. Even well-known wallets can become vectors for loss if update mechanisms, signing environments, or user practices are compromised.

As the industry continues to mature, incidents like this highlight the need for:

  • Greater transparency during security events
  • Improved extension security standards
  • Clearer user education around seed phrase handling

For now, users are urged to remain cautious, follow verified updates, and treat every wallet interaction, especially seed phrase imports, as a critical security event.

In crypto, control comes with responsibility and mistakes are irreversible.

You May Also Like

FAQs

Was Trust Wallet officially hacked?

At the time of reporting, Trust Wallet has acknowledged a security incident affecting Browser Extension version 2.68 only, but has not described it as a protocol-level hack. Investigations suggest a potential extension-related or supply-chain issue rather than a blockchain or cryptographic failure.

Which users were affected by this incident?

According to Trust Wallet, only users of the browser extension version 2.68 were impacted. Mobile-only users and users on other extension versions were not affected. Reports indicate that users who imported seed phrases into the affected extension were at the highest risk.

How much money was stolen in the Trust Wallet incident?

Based on on-chain analysis shared by ZachXBT, more than $6 million appears to have been drained across multiple blockchains. This figure is based on an initial list of theft addresses and may increase as additional victims are identified.

Is it safe to use Trust Wallet now?

Trust Wallet has advised users to disable version 2.68 and upgrade to version 2.69 via the official Chrome Web Store. Users should only reinstall or use the extension after confirming they are on the patched version and should avoid importing seed phrases unless absolutely necessary.

Disclaimer: The information provided in this article is for informational purposes only. It is not intended to be, nor should it be construed as, financial advice. We do not make any warranties regarding the completeness, reliability, or accuracy of this information. All investments involve risk, and past performance does not guarantee future results. We recommend consulting a financial advisor before making any investment decisions.
Dr. Guneet Kaur

Dr. Guneet Kaur is a senior editor at CCN.com and a Science Fellow at Exponential Science. She is a fintech and blockchain expert with extensive experience in digital finance education, blockchain ecosystems, and cryptocurrency markets. She has worked with global media such as Cointelegraph, as well as education and blockchain platforms, to design and lead strategic content and learning initiatives. As an educator and assessor for top-tier executive programs, she bridges real-world fintech trends with academic insight.

Dr. Kaur is also a published researcher and peer reviewer across fintech and data science journals, including Financial Innovation Journal and International Journal of Big Data Intelligence and Applications. Her work spans data-driven analysis, Web3 innovation, and technical content development. With a strong foundation in both industry and academia, she translates complex financial technologies into practical applications, empowering learners, professionals, and institutions across the rapidly evolving digital finance landscape.

Email [email protected] LinkedIn LinkedIn
Close
By using CCN.com you consent to our privacy & cookie policy Continue
Survey Icon
Help us improve
1 of 4
Is this your first time here?
What brought you here today?
What are you most interested in?
Would you be interested in:
Thank you icon
Thank you for your feedback!
By using CCN.com you consent to our privacy & cookie policy
Continue
DMCA.com Protection Status