 |
| The Chrome extension Trust Wallet has been compromised by hackers |
In a stark reminder of the ever-present dangers in the crypto space, a sophisticated cyberattack targeted one of the industry's most popular wallets during the holiday season. On December 24, 2025, hackers successfully uploaded a compromised version of the Trust Wallet browser extension to the official Google Chrome Web Store, setting a trap for thousands of unsuspecting users.
The tampered extension, bearing version number 2.68, was a convincing fake of the legitimate software used to manage over 100 cryptocurrencies, including Bitcoin, Litecoin, Dogecoin, and Tron. For nearly 24 hours, this malicious code sat in the store, available for download and update, before eagle-eyed researchers and the team at Trust Wallet itself sprang into action.
The Discovery and Immediate Fallout
The alarm was first raised on Christmas Day by prominent on-chain investigator ZachXBT. Trust Wallet responded swiftly, but the critical window of exposure had already allowed the attack to inflict damage. The company urgently advised all users of the browser extension with version 2.68 to consider their wallets compromised and to immediately move all assets to new, secure wallets generated outside of the affected environment.
"Our security team was alerted and acted immediately to address the issue and remove the malicious extension," a Trust Wallet spokesperson stated. "User security is our utmost priority, and we are conducting a full investigation." Users were directed to the official Trust Wallet website for the latest updates and official communication.
Inside the Malicious Code: A Surgical Strike
Technical analyses, including a detailed breakdown published by cybersecurity researchers, reveal the precision of the attack. The hackers injected malicious code directly into the extension's authentication pathways. The moment a user unlocked their wallet—whether via password or biometrics—the theft sequence was triggered.
The code was designed to be comprehensive and stealthy. It didn't just target the active wallet window; it systematically scoured all wallets and seed phrases associated with the extension's instance. This information was then exfiltrated to servers controlled by the attackers, who had laid the groundwork well in advance.
Pre-Planned Infrastructure and a Holiday Trap
Investigators tracing the attack found that the infrastructure for this data theft was established as early as December 8, 2025. Among the servers used was a Synology NAS system hosted in Ukraine, linked by analysts to previous cybercrime activities. This preparation indicates a highly planned operation, not a opportunistic smash-and-grab.
The timing, on Christmas Eve, was almost certainly strategic. The holiday period is notoriously challenging for cybersecurity defense. Security and support teams are often skeleton crews or out of office, leading to delayed response times. Attackers exploit this "digital silence," knowing that their window of undetected access can be significantly longer.
Industry Response and Moving Forward
In a significant move, Binance founder Changpeng "CZ" Zhao quickly announced that affected users would be fully compensated for their losses, a commitment that underscores the serious nature of the breach and the exchange's backing of its associated wallet product.
For a deep technical dissection of the attack vectors and code, an insightful analysis can be found in this report: Inside the Code That Stole $7M on Christmas Eve.
Lessons for the Crypto Community
This incident serves as a critical reminder for all crypto users:
- Be Extremely Cautious with Browser Extensions: They are a high-value target for hackers. Only download from official sources and be wary of unexpected update prompts.
- Holidays Are High-Risk Periods: Exercise increased vigilance during times when official support channels may be slow.
- Hardware Wallets Are Safer for Storage: For significant holdings, the security model of a hardware wallet (cold storage) is far superior to that of a browser extension (hot wallet).
- Act Fast on Warnings: If a security alert is issued by a trusted project, act on it immediately without delay.
While the swift response from Trust Wallet and Binance helped mitigate further damage, the Christmas Eve hack is a sobering entry in the ledger of crypto security—a calculated strike that turned a time of celebration into a lesson in perpetual vigilance.
Update on Trust Wallet Browser Extension v2.68 Security Incident: Compensation Process
— Trust Wallet (@TrustWallet) December 26, 2025
To start the compensation process, affected users should please complete this form: https://t.co/xlBLrL6kMj to help us process your case.
Our support team is prioritizing all the victims from… https://t.co/yaqFNLxuyx
So far, $7m affected by this hack. @TrustWallet will cover. User funds are SAFU. Appreciate your understanding for any inconveniences caused. 🙏
— CZ 🔶 BNB (@cz_binance) December 26, 2025
The team is still investigating how hackers were able to submit a new version. https://t.co/xdPGwwDU8b