Trust Wallet suffers Christmas heist: hackers exploit extension vulnerability to steal over $6 million

A seemingly routine Chrome extension update became the starting point of a major crypto asset heist. On December 24, Trust Wallet pushed an extension update to the Chrome Web Store, version 2.68.

On Christmas Day, December 25, the first victims woke up to find their wallet funds transferred without authorization. Blockchain detective ZachXBT quickly intervened and issued an emergency alert in Telegram groups.

As the investigation deepened, the full picture gradually emerged: only the browser extension version 2.68 was affected; mobile and other versions were not impacted.

01 Event Overview: Christmas Security Incident and Multiple Reactions

December 25, 2025, a day that should have been filled with joy, turned into a nightmare for hundreds of Trust Wallet users. On-chain investigator ZachXBT issued an alert, pointing out that hundreds of Trust Wallet users experienced fund thefts, with losses totaling at least 6 million USD.

Trust Wallet is a cryptocurrency wallet owned by Binance, claiming tens of millions of users. As a leading non-custodial wallet in the industry, it supports major blockchains like Ethereum and Binance Smart Chain, and is tightly integrated with numerous DeFi platforms.

After the incident, Trust Wallet’s official security alert confirmed a security vulnerability in extension version 2.68, and urgently released version 2.69 to fix it.

Binance founder CZ also responded on social media, stating that the total loss from this vulnerability was about 7 million USD, and the platform would fully compensate affected users with funds held in the “SAFU” (Secure Asset Fund for Users).

02 Attack Timeline: A Carefully Planned Christmas Heist

The timeline of this security incident reveals meticulous planning by the attackers. On Christmas Eve, December 24, Trust Wallet pushed an extension update to the Chrome Web Store, which most users automatically or manually installed during the holiday festivities.

Just hours later, on the morning of December 25, Eastern Time, the first victims began noticing abnormal fund transfers. After receiving multiple reports, ZachXBT issued a public alert on Telegram around noon local time.

The fund transfer activity continued for over 30 hours, spanning a long period from the initial reports. During the ongoing theft of user assets, Trust Wallet’s official channels still posted holiday greetings and marketing content, which caused strong dissatisfaction within the community.

It wasn’t until December 26, more than 30 hours after the incident, that Trust Wallet’s representatives issued a public warning about the browser extension vulnerability. This handling approach drew widespread criticism and further heightened user concerns.

03 Technical Analysis: Critical Vulnerability in Browser Extension

Security experts pointed out that this attack could have been carried out via two methods: one, malicious code deliberately embedded during the update; two, an unintentional vulnerability introduced that could be exploited.

The high-privilege nature of Chrome extension functionality makes it an ideal target for attackers. These extensions can read and modify all web content accessed by the user, intercept network requests, inject arbitrary scripts, and even access local storage.

ChainedFog’s CISO further indicated that this security incident may have originated from an attack on the developer’s device or code repository, and some users are still being compromised. This analysis emphasizes the threat of supply chain attacks—attackers don’t need to directly hack the wallet app itself, just control an upstream dependency.

Security research shows that browser wallets face three systemic risks: automatic update mechanisms prevent users from reviewing code changes before acceptance; permission abuse can allow legitimate extensions to add malicious code during updates; dependency chain vulnerabilities can affect all downstream applications without user awareness.

04 Fund Flow Tracking: Hacker Money Laundering Path

According to PeckShield’s monitoring data, during the Trust Wallet vulnerability exploitation, hackers have stolen over 6 million USD worth of crypto assets from victims. These funds were rapidly transferred to a set of wallets controlled by the attackers.

Tracking the flow of funds reveals a systematic money laundering process:

Specifically, about 3.3 million USD was transferred to ChangeNOW, around 340,000 USD to FixedFloat, and approximately 447,000 USD to KuCoin. This rapid dispersal pattern is common in compromised extensions or front-end damage, aiming to complicate tracing.

On-chain analysts tracked that a newly created EVM wallet received transactions ranging from a few ETH to 7 ETH, with one address still holding over 255 ETH, worth about 750,000 USD.

On the Bitcoin network, a single address received over 12 BTC through 66 transactions, worth over 1 million USD; other wallets received a total of 1.5 BTC.

05 Market Impact and Token Performance

The Trust Wallet incident not only affected direct victims but also sent shockwaves through the entire cryptocurrency market. As the native utility token of the wallet ecosystem, Trust Wallet Token (TWT) may face downward pressure.

Security research firm ChainFog’s founder Yu Jin further pointed out that the attackers appeared to be familiar with Trust Wallet’s extension source code, embedding PostHog JS to collect various user wallet information. Worryingly, the fixed version of Trust Wallet did not remove the PostHog JS script.

Historical data shows that similar security incidents typically cause related tokens to drop 10% to 20% within 24 hours, with trading volume surging amid panic selling. This event may also prompt investors to shift toward safer assets like Bitcoin and Ethereum.

As of December 26, data from Gate platform indicates the overall market remains cautious, with investor concern over wallet security significantly increased. Although CZ has promised full compensation, market confidence recovery will take time.

06 User Response Guide and Security Tips

For Trust Wallet users who may be affected, immediate steps include:

Step 1: Check and Isolate. Review transaction history from the past 48 hours, paying close attention to unauthorized token transfers, contract interactions, or approval signatures. If suspicious activity is found, immediately disable the Trust Wallet Chrome extension, by going to chrome://extensions and disabling or removing it.

Step 2: Asset Rescue. Use Revoke.cash or Etherscan’s Token Approvals feature to revoke all DeFi permissions. Create a new wallet with a freshly generated seed phrase, and do not restore from old wallets. Transfer remaining assets to the new wallet, ensuring not to use compromised devices.

Step 3: Report and Seek Compensation. ZachXBT recommends victims contact law enforcement and provide detailed transaction records. Although crypto theft cases are hard to solve, establishing a formal record is crucial for future class actions or insurance claims.

For unaffected users, preventive measures include: pause using the Chrome extension, switch to mobile apps or hardware wallets; review and revoke unnecessary DeFi approvals; avoid signing new transactions or authorizations until the situation is clear; regularly back up seed phrases and store offline; consider transferring large assets to hardware wallets.

Trust Wallet’s official support center has outlined the compensation process, and victims can register claims through that channel. ZachXBT stated that if the incident is confirmed to be Trust Wallet’s fault, the platform may need to compensate affected users.

Future Outlook

With over 4 million USD of stolen funds already flowing into exchanges like ChangeNOW, FixedFloat, and KuCoin, the aftermath of this Christmas heist continues to ripple through the crypto world. Monitoring data from PeckShield shows that about 2.8 million USD remains in the hacker’s wallets.

Yu Jin, the security expert who discovered the fixed version still contained suspicious scripts, sounded a continuous security alarm on social media. Security, in this digital asset world, is never a one-time event but a marathon with no end.

Trust Wallet’s silence and subsequent handling will serve as a benchmark for how the industry manages security crises. For every crypto holder, this incident is a heavy but clear reminder—true security always lies in your own hands.