Trust Wallet Browser Extension Exploited, Over $6 Million Lost as Team Rushes Emergency Patch

On the morning of December 26, Trust Wallet issued a security alert confirming a vulnerability in version 2.68 of its browser extension. Users running version 2.68 should immediately disable the extension and upgrade to version 2.69 using the official Chrome Web Store link.

PeckShield monitoring revealed that hackers exploiting this Trust Wallet vulnerability have stolen over $6 million in crypto assets from victims.

Currently, about $2.8 million of the stolen funds remain in the hacker’s wallets (across Bitcoin, EVM, and Solana chains), while more than $4 million has been transferred to centralized exchanges: approximately $3.3 million to ChangeNOW, around $340,000 to FixedFloat, and about $447,000 to Kucoin.

As the number of affected users surged, a code audit of Trust Wallet version 2.68 began immediately. Security analysts at SlowMist compared the source code of version 2.68.0 (compromised) and 2.69.0 (patched), discovering that attackers had implanted seemingly legitimate data collection code. This effectively turned the official extension into a privacy-stealing backdoor.

Analysis: Trust Wallet Developer Devices or Code Repositories May Be Compromised

The SlowMist security team identified the Trust Wallet browser extension version 2.68.0 as the main attack vector. By comparing it to the patched 2.69.0 release, security experts found a highly obfuscated malicious code segment in the older version, as shown below.

This backdoor code integrated PostHog to capture a range of sensitive user data—including mnemonic phrases—and sent it to the attacker’s server at api.metrics-trustwallet[.]com.

Based on code changes and on-chain activity, SlowMist provided the following estimated timeline for the attack:

• December 8: Attackers began preparations.
• December 22: The backdoored 2.68 version was released.
• December 25: Taking advantage of the Christmas holiday, attackers used stolen mnemonic phrases to move funds. The incident then came to light.

SlowMist’s analysis also indicates that the attackers are highly familiar with Trust Wallet’s extension source code. Notably, while the patched version (2.69.0) has blocked malicious transmissions, it has not removed the PostHog JS library.

SlowMist Chief Information Security Officer 23pds stated on social media, “Based on SlowMist’s analysis, there is reason to believe that Trust Wallet developer devices or code repositories may be under attacker control. Please immediately disconnect from the internet and inspect all relevant devices.” He emphasized, “Users affected by these Trust Wallet versions must disconnect from the internet before exporting mnemonic phrases to transfer assets. Otherwise, opening the wallet online could result in asset theft. Anyone with a mnemonic backup should transfer assets first, then upgrade the wallet.”

Frequent Plugin Security Incidents

He also noted that the attackers seem highly familiar with Trust Wallet’s extension code, having implanted PostHog JS to collect a variety of wallet user data. The patched Trust Wallet version still has not removed PostHog JS.

This incident, where an official Trust Wallet release became a trojan, has reminded the market of several high-profile attacks on hot wallet frontends in recent years. The attack methods and root causes in these cases offer valuable context for understanding this breach.

• When Official Channels Become Unsafe

Attacks targeting software supply chains and distribution channels are most similar to this Trust Wallet incident. In such cases, users are victimized simply for downloading “official software,” despite not making any mistakes.

Ledger Connect Kit Poisoning (December 2023): Hackers used phishing to compromise the frontend codebase of hardware wallet giant Ledger, uploading a malicious update. This contaminated several major dApp frontends, including SushiSwap, with fake connection pop-ups. The incident is considered a textbook “supply chain attack,” proving that even companies with strong security reputations remain vulnerable at single points of failure in their Web2 distribution channels, such as NPM.

Hola VPN and Mega Extension Hijacking (2018): In 2018, the developer account for the popular VPN service Hola’s Chrome extension was compromised. Attackers pushed an “official update” with malicious code, specifically targeting and stealing private keys from MyEtherWallet users.

• Code Defects: The Risk of Exposed Mnemonics

Beyond supply chain attacks, flaws in how wallets handle sensitive data—such as mnemonics and private keys—can also result in major asset losses.

Slope Wallet Log System Sensitive Data Controversy (August 2022): The Solana ecosystem experienced a large-scale crypto theft, with investigations focusing on the Slope wallet. One version sent private keys or mnemonics to Sentry services (referring to Sentry instances privately deployed by the Slope team, not the official Sentry service). However, security firms noted that the investigation has yet to conclusively determine the root cause, and further technical analysis is needed.

Trust Wallet Low-Entropy Key Generation Vulnerability (CVE-2023-31290, exploit traceable to 2022/2023): The Trust Wallet browser extension was found to have insufficient randomness, allowing attackers to exploit the enumerability of a 32-bit seed. This enabled efficient identification and derivation of potentially affected wallet addresses in certain versions, resulting in theft.

• The Battle Between Official and Fake Extensions

Browser extension wallets and search ecosystems have long faced issues with fake plugins, download pages, update pop-ups, and customer service messages. Installing from unofficial sources or entering mnemonics/private keys on phishing sites can instantly drain assets. When even official releases become risky, users’ security boundaries shrink further, and secondary scams often surge amid the confusion.

As of this writing, Trust Wallet has urged all affected users to upgrade immediately. However, with ongoing on-chain movement of stolen assets, the aftermath of this “Christmas Heist” is far from over.

Whether it’s Slope’s plaintext logs or Trust Wallet’s malicious backdoor, history repeats itself in troubling ways. Every crypto user should remember: never blindly trust a single software endpoint. Regularly review authorizations, diversify asset storage, and stay alert to suspicious version updates—these are the essential survival rules for navigating the crypto “dark forest.”

Statement:

1. This article is republished from [Foresight News], with copyright belonging to the original author [ChandlerZ]. If you have concerns about this republication, please contact the Gate Learn team, who will address the matter promptly according to established procedures.
2. Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute investment advice.
3. Other language versions of this article are translated by the Gate Learn team. Without reference to Gate, reproduction, distribution, or plagiarism of translated articles is prohibited.