Trust Wallet released Version 2.68 of its Google Chrome extension on December 25, 2025, a holiday update that later proved harmful. Typically, software updates fix problems, but this one created a “backdoor.” Hackers took over the update process and added harmful code to the extension.
The harmful code, recognised by security firms as a modified version of the PostHog analytics tool, didn’t just sit idle. When a user unlocked their extension or used it, the code secretly collected their Seed Phrase (the 12-24 words that serve as the primary key to their crypto).
The attackers then sent these keys to themselves and quickly used automated bots to steal money from wallets on Ethereum, Bitcoin, and Solana. The attack was precise. It only impacted the Chrome Extension (v2.68). Users on mobile apps (iOS/Android) and other browsers were completely safe.
The speed of the theft was shocking. In just a few hours, about $7 million was stolen from many wallets. The victims were mostly desktop users with auto-updates turned on. The stolen assets included valuable cryptocurrencies such as BTC, ETH, and SOL, as well as stablecoins.
Since this was a “hot wallet” hack, the attackers didn’t need to break into a vault; the users’ own browsers gave them access to the keys.
The Response: “Funds are SAFU”
This story shifts from a tragedy to a lesson in crisis management. Typically, when a non-custodial wallet is drained due to a technical vulnerability, companies often point to the ‘use at your own risk’ nature of DeFi and walk away. However, because Binance owns Trust Wallet, they chose to leverage their massive ‘SAFU’ insurance fund to make users whole, a rarity in the world of self-custody.
Trust Wallet’s Official Action Plan:
- The Kill Switch: They immediately pushed Version 2.69, which removed the malicious code.
- The Reimbursement: In a rare move for a DeFi wallet, they pledged to fully refund all victims who were drained due to the v2.68 exploit.
- The Warning: They urged everyone to revoke permissions and move funds to a new wallet address immediately, as the old seed phrases are now considered “burned.”
Technical Deep Dive: What is a Supply Chain Attack?
To understand why this is scary, we need to define the attack vector.
Definition: A Supply Chain Attack is when a hacker doesn’t attack you directly. Instead, they attack the tool you use.
Think of it this way: you buy a safe from a trusted company and lock your money inside. But before you bought it, an employee made copies of all the keys. This is similar to what happens in a supply chain attack. Users didn’t click on a phishing link; they just trusted an official software update.
What You Must Do Right Now
If you use the Trust Wallet Browser Extension, don’t feel safe just because you still see your balance.
- Check Your Version: Go to your Chrome Extension settings. If you ever used version 2.68, your wallet is compromised.
- Update Immediately: Make sure you have version 2.69 or higher.
- The “Burn” Rule: If you used version 2.68, treat your Seed Phrase as if everyone knows it. Please create a new wallet with a new seed phrase, then transfer any remaining funds to it. Do not use the old wallet again.
The Verdict: A Bullet Dodged
This situation could have been disastrous. If the bad code had affected the mobile app, it could have led to billions in losses instead of millions. Trust Wallet acted fast to reimburse users, which helped protect their reputation. This raises a new expectation: wallet providers might need to insure their users against their own software failures.
