Trust Wallet is urging users to update its Google Chrome extension to the latest version following what it described as a “security incident” that led to the loss of nearly $7 million.
The multi-chain, non-custodial cryptocurrency wallet service said the issue affects version 2.68. According to the Chrome Web Store listing, the extension has around one million users. Users are advised to update to version 2.69 as soon as possible.
“We have confirmed that approximately $7 million has been impacted and we will ensure that funds are refunded to all affected users,” Trust Wallet said in a post on X. “Supporting affected users is our top priority, and we are actively finalizing the process to refund affected users.”
Trust Wallet is also urging users to refrain from interacting with any messages that do not come from its official channels. Only mobile users and all other browser extension versions are not affected.
According to details shared by Slomist, version 2.68 introduces malicious code that is designed to iterate through all wallets stored in the extension and trigger a mnemonic phrase request for each wallet.
“The encrypted mnemonic is decrypted using the password or passkeypassword entered during wallet unlock,” the blockchain security firm said. “Once decrypted, the memorable phrase is sent to the attacker’s server api.metrics-trustwallet[.]com.”
Domain “Metrics-TrustWallet[.]com” was registered with the first request for “api.metrics-trustwallet” on December 8, 2025[.]com” starting December 21, 2025.
Further analysis revealed that the attacker leveraged an open-source full-chain analytics library called Posthog-JS to obtain wallet user information.
Digital assets withdrawn so far include nearly $3 million in Bitcoin, $431 in Solana, and over $3 million in Ethereum. The stolen funds are transferred through centralized exchanges and cross-chain bridges for laundering and swapping. According to an update shared by blockchain investigator ZachXBT, this incident has taken the lives of hundreds of victims.
“While ~$2.8M of the stolen funds remains in the hacker’s wallets (Bitcoin/EVM/Solana), the bulk – >$4M in crypto – has been sent to CEX [centralized exchanges]: ~$3.3 million to ChangeNOW, ~$340,000 to FixedFloat, and ~$447,000 to KuCoin,” Peckshield said.
Slomist said, “This backdoor incident originated from malicious source code modification within the internal Trust Wallet extension codebase (analytics logic), not from an injected, compromised third-party dependency (e.g., malicious npm package).”
“The attacker directly compromised the application’s own code, then leveraged the legitimate Posthog Analytics library as a data-exfiltration channel, redirecting analytical traffic to an attacker-controlled server.”
The company said there is a possibility that this is the work of a nation-state actor, with the attackers gaining control of developer tools related to Trust Wallet or obtaining permission for deployment before December 8, 2025.
Changpeng Zhao, co-founder of crypto exchange Binance, which owns the utility, indicated that the exploit was “most likely” carried out by an insider, though no further evidence was provided to support the theory.
