A critical security incident involving the Trust Wallet Chrome extension has resulted in an estimated $7 million in cryptocurrency losses for hundreds of users. The breach, affecting version 2.68 of the extension, allowed malicious code to harvest users' mnemonic recovery phrases, granting attackers access to their digital assets. Trust Wallet has urged all users to update to version 2.69 immediately and has pledged to refund all affected individuals.

Key Takeaways

• An estimated $7 million in cryptocurrency was lost due to a compromised Trust Wallet Chrome extension.

• The incident impacted version 2.68 of the extension, which contained malicious code designed to steal mnemonic phrases.

• Trust Wallet has released version 2.69 and is urging all users to update immediately.

• The company has committed to refunding all affected users.

• Mobile applications and other browser extension versions were not affected.

The Breach Uncovered

Independent security firms, including SlowMist and PeckShield, identified that version 2.68 of the Trust Wallet Chrome extension contained malicious code. This code was designed to iterate through stored wallets and prompt users for their mnemonic recovery phrases. The extension would then decrypt these phrases using the user's password and transmit them to an attacker-controlled server. The domain used for data exfiltration, api.metrics-trustwallet[.]com, was registered shortly before the thefts began.

How the Attack Unfolded

Researchers believe the attack was a supply-chain compromise, where malicious code was inserted directly into the extension's codebase, disguised as analytics functionality. When users imported their seed phrases into the compromised version, their funds were vulnerable. The stolen assets, including Bitcoin, Ethereum, and Solana, were quickly moved through centralized exchanges and cross-chain bridges for laundering. Blockchain investigators have traced significant portions of the stolen funds to exchanges like ChangeNOW, FixedFloat, and KuCoin.

Trust Wallet's Response and User Guidance

Trust Wallet has confirmed that the issue was limited to the Chrome browser extension version 2.68 and did not affect its mobile apps or other browser versions. A patched version, 2.69, was released promptly. Users are strongly advised to:

• Immediately disable Trust Wallet Chrome extension version 2.68.

• Update to version 2.69 from the Chrome Web Store.

• Assume any wallet that had its seed phrase imported into version 2.68 is compromised and transfer funds to a new, secure wallet.

• Be wary of phishing attempts and scams that may arise from the incident.

Trust Wallet CEO Eowyn Chen stated that the malicious version was likely published externally through the Chrome Web Store API key, bypassing standard release checks. The company is actively working on a compensation process for affected users and has set up a support desk for claims. Binance founder Changpeng Zhao has also assured users that affected individuals will be fully reimbursed through Binance's SAFU fund.

Broader Implications for Crypto Security

The Trust Wallet incident highlights the ongoing risks associated with browser-based cryptocurrency wallets and the increasing sophistication of supply-chain attacks. As digital assets gain mainstream adoption, attackers are targeting various points of entry, including software updates and third-party dependencies. Security experts continue to recommend robust security practices, such as using hardware wallets for significant holdings and maintaining vigilance against potential threats.

As cyber threats continue to evolve, your security strategy needs to evolve with them. BetterWorld Technology delivers adaptive cybersecurity solutions designed to keep your business secure while supporting innovation. Connect with us today to schedule a personalized consultation.

Sources

• Trust Wallet Chrome Extension Breach Caused $7 Million Crypto Loss via Malicious Code, The Hacker News.

• Trust Wallet Chrome Extension Hack Drains $7 Million in Crypto; Users Urged to Update and Protect Wallets, Bitdefender.

• Shiba Inu Community On Alert After Trust Wallet Extension Attack That Led To$7 Million Losses, Yellow.com.

• Trust Wallet New Update Drains $7M — What Users Must Do Now, CCN.com.

• Trust Wallet browser extension hack leads to $7 million in losses, Techloy.