Trust Wallet suffers supply chain attack, browser extension vulnerability causes losses exceeding $6 million

December 25, 2023, the mainstream cryptocurrency wallet Trust Wallet confirmed that its browser extension version 2.68 has a serious security vulnerability, which has led to a large number of user funds being stolen. On-chain detective ZachXBT analyzed and pointed out that this incident has caused at least $6 million in losses, involving hundreds of victims. Preliminary investigations show that the vulnerability originated from a malicious extension update, where attackers embedded malicious code to steal sensitive information when users import their seed phrases and quickly emptied the wallets. Currently, Trust Wallet has urgently released a fix in version 2.69 and recommends all users upgrade immediately. This incident once again sounds the alarm for the security of self-custodied decentralized assets, highlighting the potential risks in the software supply chain within the crypto ecosystem.

Incident Overview: Millions of dollars in assets vanish overnight

From December 24 to 25, 2023, many Trust Wallet users experienced a panic-filled holiday. During the Christmas holiday, users on social media reported that after importing their seed phrases into the latest Trust Wallet browser extension, their assets were rapidly transferred out within a short period. This abnormal situation quickly drew the attention of the blockchain security community, especially well-known on-chain detective ZachXBT.

By tracking and correlating multiple reports, ZachXBT found a high consistency among these thefts: all occurred after users imported their wallets using version 2.68 of the browser extension, and the stolen assets included tokens on Bitcoin, Ethereum, BNB, and Solana chains. The transfers were extremely fast, with no delay, exhibiting typical automated attack characteristics rather than individual user errors or phishing incidents. As more victims came forward, the estimated stolen amount initially was around $2 million, but based on public addresses involved, ZachXBT’s analysis shows the total loss has exceeded $6 million, with potentially hundreds of victims.

In response to growing community doubts and panic, Trust Wallet officially issued a statement on December 25, confirming the security incident. The official stated that the issue was limited to version 2.68 of the browser extension, and the mobile app and other versions were unaffected. The team urged all users still using version 2.68 to disable the extension immediately and upgrade to the fixed version 2.69 via the official Chrome Web Store. Although the vulnerability was confirmed and a fix provided, Trust Wallet did not initially disclose detailed technical specifics or root causes, further fueling community discussions on security transparency.

Deep analysis of attack methods: A typical supply chain attack

As security researchers reverse-engineered the code of the affected extension, the cunning nature of this attack became clearer. It was not a simple phishing or device malware attack, but a carefully planned software supply chain attack. Supply chain attacks involve contaminating the normal development, update, or distribution process of software to embed malicious code into legitimate software, thereby attacking all users who trust and download that software.

In this incident, the breach point was the Trust Wallet browser extension update to version 2.68 released on December 24. Researchers discovered that this update package contained a malicious JavaScript code snippet. This code was cleverly disguised as a module for collecting analytics data, allowing it to evade security checks. Its malicious logic was highly targeted: it specifically monitored the critical operation of “import seed phrase.” Once a user performed this operation, the malicious code would silently encrypt and send the entered seed phrase and other sensitive wallet data to an external domain controlled by the attacker.

Worse, the domain used for data reception was carefully designed to resemble Trust Wallet’s official infrastructure, increasing stealth. According to WHOIS data, this domain was registered shortly before the attack and went offline quickly after completing data collection, indicating a clear attack plan and anti-detection awareness. Therefore, any user importing their seed phrase in the infected 2.68 extension effectively handed the keys to their vault over to the attacker, and subsequent asset transfers were entirely under the attacker’s control.

Key data and attack chain of the vulnerability

To better understand the severity of this incident, we outline several key nodes and data points in the attack chain:

Vulnerability introduction time: December 24, 2023 (version 2.68 release)

Active attack window: December 24–25, 2023

Confirmed loss amount: over $6 million (based on ZachXBT’s on-chain analysis)

Main affected assets: Bitcoin, Ethereum, BNB, Solana ecosystem tokens

Attacker strategy: rapid transfer and mixing of funds through multiple intermediary addresses to increase traceability difficulty

Official response time: approximately 24 hours from community warning to official confirmation and release of the fix (2.69)

Emergency user response guide and security reflections

For users who have already used version 2.68 of the extension, the immediate priority is to take action to reduce further losses. First, disable or completely uninstall the Trust Wallet extension version 2.68 from your browser. Next, download and install the latest version 2.69 only from the official Chrome Web Store. Trust Wallet emphasizes that until the upgrade is complete, do not reopen the extension. Mobile users are unaffected by this incident, but keeping the app updated is always a good security practice.

However, for users who imported their seed phrases into the vulnerable version, the situation is more severe. Since the seed phrase may have been leaked, all wallet addresses generated from that seed should be considered “compromised.” The most thorough security measure is to immediately transfer assets to a new wallet generated from a completely new seed phrase that has never been used in the affected extension. This involves creating a new wallet and manually transferring all assets. Although tedious, this step is crucial. If assets have already been stolen, users should report the incident through Trust Wallet’s official support channels, and keep all transaction hashes (TxID) for potential investigation or legal recourse.

This security incident at Trust Wallet goes far beyond a simple private key leak; it profoundly reveals a often-overlooked vulnerability in the decentralized finance (DeFi) and self-custody wallet ecosystem: reliance on centralized software distribution channels. Even if the wallet itself is non-custodial and decentralized, its client software (such as browser extensions, mobile apps) depends on platforms like Google Play, Apple App Store, or the developer’s official servers for updates. Once this link is compromised, all users are exposed. This underscores the need for project teams to implement rigorous pre-release code audits and supply chain security monitoring, and for users to remain cautious about any sudden updates, delaying upgrades and observing community feedback as prudent strategies.

Crypto security lessons: from individual protection to ecosystem responsibility

Trust Wallet’s incident is not just a product security crisis but a stress test for the entire crypto industry. It reaffirms the heavy responsibility behind the adage “Not your keys, not your crypto.” Self-custody means full sovereignty over security is in the hands of users, but security knowledge and practices are far from universally adopted. Users must recognize that seed phrases are the ultimate defense of assets and should never be entered into any connected, unverified environment.

From a broader perspective, the security responsibilities of infrastructure providers need to be reexamined. Wallets, as gateways for users into the crypto world, should adhere to the highest security standards. This includes but is not limited to: employing multi-signature mechanisms for core code releases, establishing long-term partnerships with top security auditors for iterative reviews, creating bug bounty programs to encourage white-hat hackers to discover vulnerabilities early, and developing clear, transparent incident response and communication protocols. Patching after the fact is not enough; security must be integrated throughout the entire software development lifecycle (SDLC).

Looking ahead, combining hardware wallets with “smart contract wallets” may be a better solution. Hardware wallets isolate private keys in secure offline chips, fundamentally preventing software-based seed phrase theft; meanwhile, social recovery wallets based on smart contracts offer mechanisms to recover from key loss or compromise. Technology evolves through ongoing attack-defense cycles, and each major security incident should catalyze the industry to build more robust, user-friendly security infrastructure. For ordinary users, beyond lamenting losses, this event should serve as a profound security education, prompting a comprehensive upgrade of their asset management security levels.