A routine Chrome extension update turned into the beginning of a major crypto asset heist. On December 24, Trust Wallet released an update for its Chrome extension, version 2.68, via the Chrome Web Store.
On December 25, Christmas Day, the first victims woke up to find their wallet funds had been transferred out without authorization. Blockchain investigator ZachXBT quickly launched an investigation and issued an urgent alert in Telegram groups.
As the investigation progressed, the full scope of the incident became clear: only users of the browser extension version 2.68 were affected; mobile and other versions remained secure.
01 Incident Overview: Christmas Security Breach and Community Response
December 25, 2025—a day meant for celebration—became a nightmare for hundreds of Trust Wallet users. On-chain sleuth ZachXBT sounded the alarm, reporting that hundreds of users had their funds stolen from the Trust Wallet platform, with losses already reaching at least $6 million.
Trust Wallet, a cryptocurrency wallet under Binance, claims tens of millions of users. As a leading non-custodial wallet, it supports major blockchains like Ethereum and Binance Smart Chain, and integrates closely with numerous DeFi platforms.
Following the breach, Trust Wallet officially issued a security alert, confirming a vulnerability in browser extension version 2.68 and urgently released a patched 2.69 version.
Binance founder CZ also responded on social media, stating that the total losses from the vulnerability amounted to roughly $7 million, and pledged that the platform would fully compensate affected users, assuring that funds are "SAFU" (Secure Asset Fund for Users).
02 Attack Timeline: A Carefully Orchestrated Christmas Heist
The timeline of this security breach reveals careful planning by the attackers. On December 24, Christmas Eve, Trust Wallet pushed the extension update to the Chrome Web Store. Most users, caught up in the holiday spirit, updated automatically or manually.
Just hours later, on the morning of December 25 (Eastern US time, from early morning through late morning), the first victims began noticing unauthorized fund transfers. After receiving multiple reports, ZachXBT issued a public alert on Telegram around noon local time.
The unauthorized transfers continued for over 30 hours, spanning a significant period since the initial reports. During this ongoing theft, Trust Wallet’s official accounts were still posting holiday greetings and marketing campaigns, a stark contrast that fueled strong dissatisfaction in the community.
It wasn’t until December 26—over 30 hours after the incident began—that Trust Wallet representatives publicly acknowledged the browser extension vulnerability. This delayed response drew widespread criticism and further heightened user concerns.
03 Technical Analysis: The Fatal Browser Extension Vulnerability
Security experts suggest the attack may have been executed in two ways: either malicious code was deliberately injected during the update, or an exploitable vulnerability was inadvertently introduced.
The high-level permissions of Chrome extensions make them prime targets for attackers. These extensions can read and modify all web content accessed by the user, intercept network requests, inject arbitrary scripts, and even access local storage.
SlowMist’s CISO further noted that this breach may have originated from a compromise of developer devices or the code repository, and users are still being affected. This analysis highlights the threat of supply chain attacks—attackers don’t need to breach the wallet app directly; compromising any upstream dependency is enough.
Security research shows browser wallets face three systemic risks: automatic updates force users to accept new versions without code review; permission abuse allows legitimate extensions to add malicious code during updates; dependency chain vulnerabilities mean downstream apps can be affected without users’ knowledge.
04 Fund Flow Tracking: The Hacker’s Money Laundering Route
PeckShield’s monitoring data indicates that in the Trust Wallet exploit, hackers have stolen over $6 million in crypto assets from victims. These funds were swiftly and automatically transferred to a group of wallets controlled by the attackers.
Tracking the flow of funds reveals a systematic laundering process:
| Fund Status | Amount (approx. USD) | Main Destination or Notes |
|---|---|---|
| Still in hacker wallets | $2.8 million | Distributed across Bitcoin, EVM, and Solana networks |
| Transferred to centralized exchanges | Over $4 million | Sent to ChangeNOW, FixedFloat, KuCoin, and others |
Specifically, around $3.3 million was sent to ChangeNOW, about $340,000 to FixedFloat, and roughly $447,000 to KuCoin. This rapid, dispersed transfer pattern is typical of extension or frontend breaches, designed to make tracing more difficult.
On-chain analysts found that a newly created EVM wallet received transactions ranging from fractions of ETH to up to 7 ETH. One address still holds more than 255 ETH, worth about $750,000.
On the Bitcoin network, a single address received over 12 BTC (worth more than $1 million) via 66 transactions, while other wallets collectively received 1.5 BTC.
05 Market Impact and Token Performance
The Trust Wallet incident not only affected direct victims but also sent shockwaves through the broader crypto market. As the native utility token of the wallet ecosystem, Trust Wallet Token (TWT) may face downward price pressure.
SlowMist founder Yu Jin further pointed out that the attacker appeared highly familiar with the Trust Wallet extension’s source code, injecting PostHog JS to collect a wide range of user wallet data. Alarmingly, the Trust Wallet patched version did not remove the PostHog JS script.
Historically, similar security incidents have caused related token prices to drop 10–20% within 24 hours, with trading volumes surging amid panic selling. This event may also prompt investors to shift toward safer assets like Bitcoin and Ethereum.
As of December 26, Gate platform data shows a cautious market sentiment, with investors paying increased attention to wallet security issues. Although CZ has promised full compensation, restoring market confidence will take time.
06 User Response Guide and Security Recommendations
If you are a potentially affected Trust Wallet user, take these immediate steps:
Step 1: Review and Isolate. Check your transaction history from the past 48 hours, paying close attention to unauthorized token transfers, contract interactions, or signature authorizations. If you spot suspicious activity, immediately disable the Trust Wallet Chrome extension by visiting chrome://extensions and removing or disabling it.
Step 2: Asset Recovery. Use Revoke.cash or Etherscan’s Token Approvals feature to revoke all DeFi authorizations. Create a brand-new wallet with a freshly generated seed phrase—do not restore from your old wallet. Transfer any remaining assets to the new wallet, and avoid using devices that may have been compromised.
Step 3: Report and Defend. ZachXBT recommends victims proactively contact law enforcement and provide detailed transaction records. While crypto theft cases rarely get solved, establishing an official record is crucial for future class action lawsuits or insurance claims.
For Trust Wallet users who haven’t been affected, preventive measures include: stop using the Chrome extension, switch to mobile apps or hardware wallets; review and revoke unnecessary DeFi contract authorizations; avoid signing new transactions or approvals until the situation is clear; regularly back up your seed phrase and store it offline; consider moving large assets to a hardware wallet.
Trust Wallet’s official support center has outlined the compensation process, and victims can register their claims through this channel. ZachXBT noted that if Trust Wallet is found responsible, the platform may need to compensate affected users.
Outlook
With over $4 million in stolen funds already moved to exchanges like ChangeNOW, FixedFloat, and KuCoin, the aftershocks of this Christmas heist continue to reverberate throughout the crypto world. Security firm PeckShield reports that about $2.8 million remains in hacker-controlled wallets.
Yu Jin, the security expert who discovered the suspicious script still present in the patched version, continues to sound the alarm on social media. In the digital asset world, security is never a one-off event—it’s an endless marathon.
Trust Wallet’s silence and subsequent actions will set the tone for how the industry responds to security crises. For every crypto asset holder, this incident serves as a sobering and unmistakable reminder: true security is always in your own hands.
