Crypto wallet Trust Walletconfirmed early morning on Friday, Dec. 26 that approximately $7 million in customer funds were lost in an exploit. The hack has been tied to a bad update of the wallet’s Chrome browser extension after users reported losing funds in what appears to be a supply-chain attack.
The issue affected only Trust Wallet Browser Extension version 2.68, the company said in an X thread yesterday evening, when the company first confirmed the exploit. Users were told to stop opening the extension, turn it off, and upgrade to version 2.69. Mobile users and other versions were not affected, according to the team.
The warning came just hours after blockchain sleuth ZachXBT reported in his Telegram channel that several Trust Wallet users had reported funds being drained within hours, shortly after a new Chrome extension update was pushed.
Users Will Be Compensated
Changpeng Zhao, founder of crypto exchange Binance, which acquired Trust Wallet in 2018, revealed in an X post on Thursday evening that $7 million in user funds had been stolen in the exploit, and that Trust Wallet will compensate affected users.
“So far, $7m affected by this hack. Trust Wallet will cover. User funds are SAFU. Appreciate your understanding for any inconveniences caused,” Zhao wrote.
Blockchain security firm SlowMist specified in an X thread on Dec. 26 that the attack likely involved direct tampering with Trust Wallet’s own extension code, rather than a compromised third-party library.
“A diff comparison between v2.67 and v2.68 revealed malicious code secretly inserted into the 2.68 update. This injected code iterates through all wallets stored in the extension, triggering a get mnemonic phrase request for each wallet,” the security firm wrote.
The attackers reportedly used legitimate analytics tools to secretly send data to servers they controlled.
This isn’t the first time Trust Wallet’s browser extension has raised security concerns. In 2023, hardware wallet Ledger’s chief technology officer Charles Guillemet revealed in an X thread that Ledger’s security team had identified a “catastrophic” vulnerability in Trust Wallet’s Chrome extension that could have allowed attackers to drain wallets without any user interaction at all.
At the time, Guillemet said the vulnerability was identified before it could be exploited at scale.
