Trust Wallet experienced a security incident affecting its Chrome browser extension, specifically version 2.68, resulting in approximately $7 million in unauthorized cryptocurrency being drained from hundreds of user wallets. The issue emerged shortly after a compromised update was released on , involving the injection of malicious JavaScript code into the extension.
The security breach on the Trust Wallet Chrome browser extension (version 2.68) led to the exfiltration of users’ mnemonic seed phrases. Malicious JavaScript code was reportedly disguised as analytics functionality, using a library similar to `posthog-js`, to silently capture these crucial recovery phrases when wallets were unlocked or imported. The stolen phrases were then sent to an attacker-controlled domain, `api.metrics-trustwallet[.]com`, allowing attackers to rapidly drain funds, primarily in Bitcoin, Ethereum, and Solana.
Investigations into the incident suggest a sophisticated supply-chain attack, which may have involved compromised developer access or deployment processes prior to mid-December. A supply-chain attack typically involves an attacker infiltrating a less secure element in the software’s development or distribution process to insert malicious code. In this case, the injected JavaScript code was designed to harvest mnemonic seed phrases, which are unique sequences of words that serve as the master key to a cryptocurrency wallet, enabling access to funds. The attackers’ control over the specified domain facilitated the collection of these sensitive phrases, enabling the subsequent theft of digital assets.
The incident is attributed to a sophisticated supply-chain attack, indicating that the malicious code was integrated into the legitimate software update process. This type of attack often exploits vulnerabilities in the development or deployment infrastructure, rather than directly targeting end-users with phishing. The compromise likely occurred at an earlier stage, possibly involving unauthorized access to Trust Wallet‘s developer accounts or build systems before the update release.
Specific details regarding how the supply chain was compromised, including the exact method of developer access or deployment process infiltration, have not been publicly disclosed. Information on potential user refunds or compensation for the approximately $7 million in lost funds is also not available.
Users of the Trust Wallet Chrome browser extension, particularly those who used version 2.68, are advised to monitor official Trust Wallet channels for further security advisories and guidance. The company is expected to provide updates on its investigation and any remediation efforts to enhance the security of its extensions and protect user assets.
Follow us on Bluesky , LinkedIn , and X to Get Instant Updates
