- A malicious Trust Wallet Chrome extension update led to millions in crypto losses from thousands of browser wallets.
- Attackers abused a leaked Chrome Web Store API key and a suspected supply chain compromise to ship a trojanized version of the extension.
- Trust Wallet is rolling out reimbursements only to confirmed victims, tightening its claims process to filter fraudulent requests.
- New extension versions add verification features and security guidance, while the mobile app remains unaffected.
Over the recent holiday period, thousands of Trust Wallet users woke up to find that their browser-based crypto wallets had been silently emptied. A malicious update to the popular Chrome extension allowed attackers to siphon off digital assets across multiple blockchains, triggering one of the most disruptive wallet incidents of the past year.
As the scope of the breach became clear, Trust Wallet moved to shut down the attacker’s infrastructure, pull the compromised version from the Chrome Web Store and promise compensation for verified victims. At the same time, the company has had to navigate technical hurdles, a wave of fraudulent reimbursement claims and heightened concern over supply chain risks in the crypto software ecosystem.
How the Trust Wallet browser exploit unfolded
The incident centers on Trust Wallet’s Chrome browser extension, which is used by thousands of people to manage self-custodied cryptocurrencies directly from their web browser. According to Trust Wallet, attackers were able to publish a malicious release of the extension that looked legitimate but contained hidden code to steal sensitive wallet data.
In one incident report, the company said the attackers managed to push a trojanized build of the extension through the Chrome Web Store review process. They allegedly did this by abusing a leaked or compromised Chrome Web Store API key associated with Trust Wallet’s developer account, effectively bypassing internal safeguards that should have prevented unauthorized releases.
This tampered extension included embedded JavaScript designed to exfiltrate critical wallet information, such as private keys or seed phrases, from users who interacted with it. Once the malicious code was live, anyone updating or installing the affected version of the extension became a potential target.
Trust Wallet has said that the exploit impacted roughly 2,500 to 2,600 distinct wallet addresses across several blockchain networks. One early tally from the company put total losses at about $7 million, while a later statement referenced an estimated $8.5 million in compromised assets as investigations refined the numbers and additional victims were confirmed.
Investigators and the Trust Wallet team highlighted that the attack did not happen spontaneously: the adversaries staged their infrastructure weeks before the actual thefts. Domains, servers and malicious components were reportedly set up around December 8, well ahead of the Christmas-period deployment of the bad extension version.
The malicious Chrome extension version and holiday timing
The focal point of the breach was a specific release of the extension, identified as version 2.68 of the Trust Wallet browser add-on. This build was pushed out around Christmas Eve, just as many users were on holiday and paying less attention to security warnings or update details.
Users who installed or updated to this version found out only later that their balances had been drained over a roughly two-day window between December 25 and 26. Blockchain analysis suggested that funds were systematically swept from compromised wallets into direcciones controladas por los atacantes, with little chance of recovery once the transfers were confirmed.
Trust Wallet responded by releasing a clean version 2.69 intended to replace the compromised 2.68 build. The company urged everyone to upgrade immediately to stop further exfiltration of sensitive data. However, that quick fix did not entirely go to plan: the new version ran into an unexpected bug in the Chrome Web Store pipeline.
Because of this issue, the extension became temporarily unavailable in the Chrome Web Store, which sparked confusion and concern among users who feared an even bigger security problem. Trust Wallet’s leadership later clarified that the outage was linked to a Chrome Web Store bug encountered while publishing the update, not to a second compromise.
Google, for its part, was said to have acknowledged the publishing issue and escalated it internally. After additional review, the extension returned to the store as version 2.71.0, which became the new baseline for users seeking a secure update.
Links to a broader supply chain attack
Trust Wallet has pointed to evidence that the exploit was not an isolated incident but likely connected to a wider supply chain compromise. In particular, the company said it has high confidence that the Chrome extension attack is related to the so-called Shai-Hulud campaign.
That supply chain attack, disclosed in November, targeted the npm software registry and impacted a large number of open source repositories across the industry. Threat actors tampered with dependencies used by multiple projects, highlighting how a single compromised component can ripple outward into numerous applications and services.
In the case of Trust Wallet, the theory is that the adversaries leveraged less visible software dependencies and build tooling to prepare the ground for shipping a malicious extension update that still passed automated checks. While full technical details have not been shared publicly, investigators have stressed that the operation showed careful planning, patience and a solid understanding of the web extension ecosystem.
Security researchers commenting on the incident underscored the broader lesson: even widely used, reputable crypto tools can be undermined via their development supply chain. For everyday users, this kind of attack is nearly impossible to spot by simply glancing at the extension interface or update notes.
Adding an unusual twist, some white-hat researchers reportedly launched distributed denial-of-service (DDoS) attacks against parts of the attacker’s infrastructure once the compromise came to light. The idea was to disrupt the exfiltration channels in real time and reduce the number of additional victims during the crucial hours after discovery.
Trust Wallet’s response: fixes, reimbursements and new features
Once the malicious build was identified, Trust Wallet took a series of steps aimed at containing the breach and supporting users who had lost funds. The company revoked all existing Chrome Web Store release API keys used for publishing extension updates and implemented a strengthened internal release process to reduce the chance of unauthorized builds slipping through in the future.
Trust Wallet also worked with registrar and hosting providers, including NiceNIC, to dismantle the attacker’s data exfiltration infrastructure. Shutting down domains and servers made it harder for the malicious extension to phone home with stolen keys, although assets already moved on-chain remained effectively out of reach.
In parallel, the team began identifying and notifying affected wallet addresses. Initial reports mentioned about 2,520 compromised wallets, later refined to roughly 2,596 addresses as analysis continued. The company has framed these numbers as the definitive scope of direct impact from the browser exploit.
Trust Wallet’s parent company, Binance, weighed in as well. Binance founder Changpeng Zhao publicly confirmed that the group intended to fully reimburse users whose losses could be verified as stemming from the extension hack. Trust Wallet emphasized that this remediation commitment applied specifically to the extension incident and did not imply any broader guarantee against unrelated user mistakes or scams.
The updated extension, released as version 2.71.0, introduced a new customer service verification code feature. This mechanism is meant to help the team confirm wallet ownership when processing claims, providing an additional signal to differentiate legitimate victims from impostors attempting to cash in on the reimbursement program.
Fraudulent claims and a tighter reimbursement process
Despite the company’s effort to support victims, the reimbursement initiative quickly attracted attention from people who were never affected by the exploit. Trust Wallet’s CEO reported that the team received more than 5,000 claims, even though forensic analysis had identified just over 2,500 wallets as actually compromised.
This mismatch forced the company to tighten its claims verification process. Rather than relying on simple self-reported information, Trust Wallet began correlating multiple data points: on-chain transaction histories, extension telemetry, security logs and the new verification codes generated by the restored extension.
In messages to users, the CEO explained that the company’s staff was working diligently to separate genuine victims from fraudulent or duplicate submissions. The tone was measured but clear: reimbursements would go only to those who could be reliably linked to the addresses compromised in the exploit window.
The stricter review process inevitably slowed down payouts, but it also helped address concerns that compensation funds might be drained by opportunistic claimants. For affected users, this meant longer wait times but a better chance that the reimbursement pool would not be exhausted unfairly.
Trust Wallet reiterated throughout the process that only the browser extension was impacted by the malicious update. The company repeatedly stressed that mobile app builds remained unaffected, aiming to reassure the many users who rely primarily on the smartphone versions of the wallet.
Temporary removal from the Chrome Web Store
As part of the remediation effort, Trust Wallet’s browser extension disappeared for a time from the official Chrome Web Store listing. Given the timing, many users assumed that the extension had been pulled by Google because it was still unsafe.
The company later clarified that the disappearance was linked to a Chrome Web Store bug encountered while pushing the new version that incorporated the reimbursement verification feature. According to Trust Wallet’s leadership, Google acknowledged this publishing issue and escalated it internally until it was resolved.
During the outage, Trust Wallet advised users to be extremely cautious about fake extensions and lookalike listings that might try to capitalize on the confusion. Attackers often upload counterfeit versions of popular crypto tools, hoping that worried users will install them in a rush without verifying the publisher.
Once the problem on Google’s side was addressed, version 2.71.0 of the extension went live again with the additional verification capabilities and security improvements. Users were urged to confirm that they were downloading the extension only from the official Trust Wallet developer entry on the Chrome Web Store and to check version numbers carefully.
The company has used this episode to reinforce a basic message: never install wallet extensions from unverified links shared in emails, DMs or unofficial support channels, regardless of how urgent or convincing the message may sound.
Ongoing phishing attempts and user safety recommendations
Even after the main exploit infrastructure was taken down, attackers did not simply quit. Trust Wallet reported that follow-on phishing campaigns quickly appeared, with scammers impersonating the company in an effort to harvest seed phrases and private keys from worried users.
These phishing attempts often mimicked customer support messages or reimbursement announcements, urging users to “confirm” their wallets by providing recovery phrases. Others pointed to lookalike domains or fake web interfaces where victims were prompted to connect their wallets for supposed safety checks.
Trust Wallet’s public guidance repeated several core security principles: users should never share their seed phrase, private keys or full recovery information with anyone, including supposed support staff. Official support teams do not need this data to help with technical issues or to process compensation.
The company also encouraged users to verify URLs carefully, bookmark the official website, and avoid clicking on links in unsolicited emails or social media messages. For browser extensions, checking the publisher name, number of reviews and permission list can help detect fakes, though these checks are not foolproof.
Finally, users were advised to consider moving significant balances off browser-based wallets used for daily interactions and into hardware wallets or other forms of cold storage that are less exposed to extension-level compromises and phishing.
The Trust Wallet extension exploit has become a reference point for how a well-planned distribution attack can slip into a mainstream crypto tool, how quickly funds can vanish once keys are exposed and how complex reimbursement and user protection can be in a decentralized ecosystem. The incident underlines the need for stronger release controls, more resilient infrastructure and more skeptical user behavior whenever a wallet prompts for sensitive recovery information or an update appears during a particularly convenient – or suspicious – moment.
