A routine software update, quietly pushed through the Chrome Web Store just before Christmas, opened a narrow but costly window into the vulnerabilities that continue to haunt the crypto ecosystem—exposing how a single compromised extension can ripple across millions of users, billions in trust, and multiple blockchains.
A Compromised Update Slips Through
In the early afternoon of Dec. 24, malicious code was published to the Chrome browser extension of Trust Wallet, one of the most widely used self-custody wallets in the cryptocurrency industry. According to the company, the code was deployed using a leaked Chrome Web Store API key, allowing it to bypass Trust Wallet’s standard internal release process.
The altered extension—version 2.68—contained code designed to harvest users’ wallet seed phrases, the cryptographic keys that grant full control over digital assets. The payload, later identified by blockchain security firm SlowMist, was embedded within a modified open-source analytics library, making it difficult to detect through routine inspection.
Only users who logged into the Chrome extension during a specific window—between the Dec. 24 update and the rollout of a fix the following day—were potentially exposed. Mobile app users and those running other versions of the extension were not affected, Trust Wallet said. The Chrome extension alone, however, has roughly one million users, according to its Web Store listing.
Tracing the Theft Across Blockchains
The financial fallout became visible quickly. Trust Wallet later confirmed that approximately $7 million in digital assets had been stolen across several blockchains, including Bitcoin, Ethereum, and Solana. Blockchain forensic analysis suggested that the attacker acted swiftly, moving stolen funds through a network of wallets and exchanges.
Trust Wallet Users Lose ₹54 Crores After Chrome Extensions Update
Researchers at PeckShield reported that more than $4 million of the stolen assets had already been routed through centralized exchanges such as ChangeNOW, FixedFloat, and KuCoin, complicating recovery efforts. Roughly $2.8 million remained in wallets linked to the attacker as of Thursday, according to their estimates.
Discovery, Disclosure, and a Rapid Fix
Public awareness of the breach began not with a corporate disclosure, but with an alert. On Christmas Day, the on-chain investigator ZachXBT warned on Telegram that Trust Wallet users were reporting drained accounts shortly after the Dec. 24 update. The reports pointed to a narrow timeframe, suggesting a supply-chain style compromise rather than user error.
Trust Wallet pushed a patched version—2.69—on Dec. 25. Chief Executive Eowyn Chen later said that users who logged into the extension before Dec. 26 at 11 a.m. UTC were potentially affected. Two days after the malicious code was discovered, the company announced it had launched a formal compensation process for victims.
Affected users were asked to submit claims through an official support portal, providing wallet addresses, transaction hashes, and other verification details. “Each case requires careful verification to ensure accuracy and security,” the company said in a statement posted on X, as it sought to balance speed with fraud prevention.
Accountability and the Broader Stakes
The incident quickly drew the attention of Changpeng Zhao, founder of Binance, which acquired Trust Wallet in 2018. Zhao said the company would cover all verified losses, emphasizing that user funds “are SAFU,” a phrase long associated with Binance’s own emergency insurance fund.
While the pledge helped calm immediate concerns, the episode reignited deeper questions about security in the rapidly evolving crypto infrastructure. Browser extensions—convenient bridges between users and blockchains—have increasingly become attractive targets, sitting at the intersection of web security, open-source software, and high-value financial assets.
