That Chrome Extension Update Just Drained $7 Million in Crypto

The Christmas Eve Attack

On December 24, 2025, at 12:32 p.m. UTC, an unauthorized version of the Trust Wallet browser extension was published to the Chrome Web Store. Version 2.68 looked identical to previous releases but contained hidden malicious code.

According to Trust Wallet's official incident report, the attack resulted in approximately $7 million in stolen cryptocurrency assets. Subsequent analyses by The Hacker News put the total closer to $8.5 million, drained from over 2,500 wallet addresses to at least 17 attacker controlled wallets.

The stolen assets included approximately $3 million in Bitcoin, over $3 million in Ethereum, and various other tokens.

How the Malicious Code Worked

The attackers embedded their malicious code within the extension's analytics logic—a clever disguise that made it harder to detect during code review.

According to BleepingComputer's analysis, the attack worked in three stages:

• Trigger: When a user opened the extension and logged in, the malicious code activated
• Harvest: The code iterated through all wallets stored in the extension, decrypting each wallet's recovery phrase using the password the user had just entered
• Exfiltrate: The recovery phrases were sent to an attacker controlled server disguised as legitimate analytics traffic

The attackers used the open source PostHog analytics library to camouflage their data theft as normal telemetry, sending stolen wallet phrases to a domain designed to look like official Trust Wallet infrastructure: api.metrics-trustwallet[.]com.

A Supply Chain Attack Through the Official Store

What makes this attack particularly concerning is how the malicious update reached users. The attackers did not trick people into installing a fake extension. They pushed their code through Google's official Chrome Web Store.

Trust Wallet disclosed that the breach originated from the "Shai-Hulud" supply chain attack in November 2025. During that broader campaign, the company's GitHub secrets were exposed, giving attackers access to the source code and—critically—the Chrome Web Store API key.

With those credentials, the attackers could publish extension updates as if they were Trust Wallet's own developers. The malicious version 2.68 passed Chrome Web Store's automated review and was distributed to users as a legitimate update.

Trust Wallet noted there is a possibility the attack involved nation state actors, suggesting the sophistication of the supply chain compromise that preceded the theft.

Who Was Affected

The breach affected only users who:

• Had Trust Wallet's Chrome browser extension installed
• Received the version 2.68 update
• Opened the extension and logged in between December 24-26, 2025

Trust Wallet's mobile applications were not affected. Neither were other browser extension versions or users who did not open the extension during the attack window.

However, anyone who entered or imported a seed phrase while running version 2.68 should treat that seed as permanently compromised. The attackers have those recovery phrases and can drain associated wallets at any time.

The Response

Trust Wallet took several immediate steps after discovering the attack:

• Expired all release APIs to prevent further malicious updates
• Reported the exfiltration domain to its registrar, which suspended it
• Released a clean version 2.69 to the Chrome Web Store
• Published detailed incident reports and user guidance

Changpeng Zhao, co-founder of Binance (which owns Trust Wallet), announced that affected users would be reimbursed for their losses. This commitment to make users whole is notable, though it does not undo the security failure that enabled the attack.

Browser Extensions: A Growing Attack Surface

The Trust Wallet incident is part of a broader pattern of browser extension compromises. Extensions have deep access to your browsing activity, and cryptocurrency extensions have access to your financial assets.

Recent months have seen multiple high profile extension attacks:

• Malicious AI coding extensions on the VS Code Marketplace with 1.5 million downloads
• The "Ghostposter" campaign that hijacked legitimate extensions to steal user data
• Compromised Chrome extensions used for cryptocurrency theft and data harvesting

The common thread is that extension stores—whether Chrome Web Store, Firefox Add-ons, or VS Code Marketplace—cannot fully verify that updates are legitimate. If attackers obtain developer credentials, they can push malicious code to millions of users through official channels.

Protecting Yourself from Extension Attacks

The Trust Wallet attack succeeded because users trusted that updates from the official store were safe. That assumption is increasingly dangerous.

Consider these protective measures:

• Disable automatic updates for sensitive extensions and review changelogs before updating
• Use hardware wallets for significant cryptocurrency holdings—they keep private keys offline where malicious extensions cannot reach them
• Minimize extension permissions and remove extensions you no longer actively use
• Separate sensitive activities into different browser profiles or browsers entirely
• Monitor extension news for security incidents affecting tools you use

The Lesson for Extension Users

Every browser extension you install is a potential attack vector. The more sensitive the extension's access—to your passwords, your financial accounts, your browsing data—the more attractive it is to attackers.

Trust Wallet users did nothing wrong. They used an official extension from a major company, downloaded from Google's official store, and received what appeared to be a routine update. Yet their funds were stolen anyway.

Supply chain attacks like this one exploit the trust we place in official distribution channels. The Chrome Web Store review process, developer credential management, and update delivery systems all failed to prevent a malicious update from reaching users.

Until extension security fundamentally improves, users must treat every extension—and every update—as potentially compromised. The $7 million loss from Trust Wallet is a reminder that trusting official stores is not enough.