According to cybersecurity firm SlowMist , the malicious Trust Wallet extension also exports users' personal data, raising suspicions of insider trading.
Trust Wallet users lost approximately $7 million in a Christmas Day exploit believed to have been planned since early December. Version 2.68 of the Trust Wallet browser extension was compromised in a security incident affecting desktop users, according to a Trust Wallet announcement on X on Thursday; the project recommends users upgrade to version 2.89.
In a blog post on X on Friday, Changpeng Zhao — co-founder of Binance , the company that owns Trust Wallet and claims to serve 220 million users — said the lost funds would be reimbursed.
Cryptocurrency wallet breaches are becoming an increasing threat to digital asset investors. According to Chainalysis , excluding the $1.4 billion Bybit hack in February, breaches of personal wallets account for 37% of all stolen value in 2025.
However, the $7 million loss to Trust Wallet is still much smaller than other major wallet hacks. In February 2024, Jeff Zirlin , co-founder of the play-to-earn game Axie Infinity , lost $9.7 million in Ether due to suspected wallet exploitation.
Insider hacking suspected after Trust Wallet mining incident.
Yu Xian, co-founder of SlowMist, wrote on X on Friday that the attacker had been preparing well in advance, at least since December 8th. A machine translation of his post states:
“The attacker began preparations at least from [December 8th], successfully installed the backdoor on [December 22nd], began transferring funds on [Christmas Day], and was subsequently detected.”
The backdoor code also collects users' personal information and sends it to the attacker's server.
According to onchain investigator ZachXBT , hundreds of Trust Wallet users have been affected.
Some industry Watcher point to signs of possible insider activity, as the attacker may have uploaded a new version of the Trust Wallet utility to the website. “This type of ‘hack’ doesn’t come naturally. The possibility of insider activity is high,” wrote intergovernmental blockchain advisor Anndy Lian on X.
Changpeng Zhao also agreed that the incident was “very likely” caused by an insider. Mr. Xian of SlowMist added that the attacker was “very familiar with the source code of the Trust Wallet utility,” which allowed them to deploy a backdoor to collect sensitive user data.
