Trust Wallet users suffered an estimated $6–$7 million loss after a compromised Chrome extension update (version 2.68) released on December 24, 2025. Reports indicate the first drains occurred on December 25, and Trust Wallet confirmed the breach on December 26, 2025, putting the incident firmly in the browser-extension attack category.
The compromise is described as a supply-chain exploit delivered through a malicious update that embedded JavaScript inside the extension package. The payload reportedly stayed dormant until a user imported a recovery seed, at which point it exfiltrated recovery phrases to an attacker-controlled domain and enabled unauthorized access without phishing clicks or explicit transaction approvals.
What happened at the user level and why it scaled fast
One affected account allegedly lost as much as $3.5 million in assets, illustrating how quickly a single compromised update can escalate into outsized losses. Because the trigger was seed import rather than a link click, the attack path relied on routine wallet behavior and bypassed common phishing heuristics. Security teams characterized the pattern as an abuse of a trusted update channel to distribute malicious code to end users. In operational terms, the update pipeline became the threat surface, not the user’s decision-making.
Trust Wallet instructed users to disable version 2.68 immediately and to install the patched version 2.69 once the fix was released. The response underscores that browser-based wallets trade convenience for a broader attack surface when update delivery and code integrity controls fail. Even when the remediation is fast, a narrow compromise window can still produce material aggregate losses. A short-lived malicious release can have lasting downstream effects on user confidence and custody behavior.
Response, reimbursements, and the custody risk lesson
Binance CEO Changpeng Zhao publicly pledged full reimbursement from Binance’s Secure Asset Fund for Users (SAFU), writing, “User funds are SAFU.” He also suggested that injecting malicious code into the update process could imply insider access rather than a purely external breach, raising deeper concerns about governance and release controls. The reimbursement commitment is positioned as immediate loss containment. At the same time, it introduces questions about liability expectations and what “acceptable” operational security should look like for wallet infrastructure.
So far, $7m affected by this hack. @TrustWallet will cover. User funds are SAFU. Appreciate your understanding for any inconveniences caused. 🙏
The team is still investigating how hackers were able to submit a new version. https://t.co/xdPGwwDU8b
— CZ 🔶 BNB (@cz_binance) December 26, 2025
Security analysts urged impacted users to move high-value holdings to cold storage and enable multi-factor authentication where supported. Recommended mitigations also include stricter verification of software updates, tighter oversight of the update pipeline, and clearer user education on the limits of browser extensions as a primary custody layer. The incident can undermine confidence in hot wallets. The event reinforces that extension-based distribution can turn routine updates into a single point of failure for large-scale asset drains.
The December compromise shows how quickly a trusted release channel can be weaponized. A standard extension update became the delivery mechanism for a mass exfiltration event, translating normal user actions into immediate asset loss.