Trust Wallet Faces Christmas Security Hack With $7 Million in Crypto Stolen

Trust Wallet confirmed a security incident on Christmas Day that compromised its Chrome browser extension version 2.68. The issue led to unauthorized access and the draining of cryptocurrency from affected user wallets. The company emphasized that the breach was limited to this specific version and did not impact its mobile app or other browser extension releases.

Blockchain investigator ZachXBT first reported the problem on December 25 after receiving reports from multiple users. He noted that funds began disappearing shortly after an update rolled out on December 24. Initial estimates placed losses above $6 million, with stolen assets spanning networks including Bitcoin, Ethereum, and Solana.

Changpeng Zhao aka CZ, founder of Binance and owner of Trust Wallet, addressed the incident publicly. He stated that the total amount affected had reached approximately $7 million. Zhao assured users that Trust Wallet would fully reimburse those impacted and that user funds remain secure.

The Trust Wallet team responded quickly by urging affected users to disable version 2.68 and upgrade to 2.69. They provided a direct link to the official Chrome Web Store for the safe version. Investigators have identified suspicious code in the compromised update that appeared to exfiltrate sensitive wallet data when seed phrases were imported.

Security experts have speculated to a possible supply-chain attack as the root cause. The malicious code may have been embedded in an official update, raising questions about how it bypassed review processes. Some analysts suggested the attacker's familiarity with the extension's codebase could indicate insider involvement, though no confirmation has emerged.

Trust Wallet has initiated a full investigation into the breach. The team continues to monitor for additional affected users and promises further updates as details become available. Users are advised to verify their extension version and avoid using the outdated release.

This incident serves as a reminder of the risks associated with browser-based wallets. While convenient for accessing decentralized applications, they operate in environments vulnerable to updates and third-party dependencies. Many in the crypto community recommend hardware wallets for long-term storage and savings and to keep private keys offline.