$7M crypto heist after malicious Chrome extension update. Trust Wallet confirms supply-chain attack, pledges to cover all stolen user funds.

Continue reading

A security researcher demonstrated how three patched OpenClaw vulnerabilities can be chained from a WhatsApp message to achieve credential theft, sandbox escape, and host-level code execution, exposing architectural risks in AI agents.
In a stunning breach that shattered holiday tranquility, Trust Wallet—a cornerstone cryptocurrency wallet owned by industry titan Binance—confirmed a catastrophic security failure. A hacked update to its Chrome browser extension unleashed a $7 million digital heist, draining user funds in a sophisticated supply-chain attack that has sent shockwaves through the crypto world. The incident, emerging on Christmas Eve, exposes the fragile trust underpinning critical software we rely on to guard our digital fortunes.
The crisis commenced on December 24, 2025, with the silent release of version 2.68.0 of the Trust Wallet Chrome extension. As a leading non-custodial wallet, Trust Wallet grants millions of users access to decentralized applications (dApps) and asset management. Within hours, social media transformed into a forum of panic. Users reported watching assets vanish instantly after routine transactions, with early crowd-sourced estimates of losses exceeding $2 million and climbing rapidly.
The security community sounded alarms. Analyst Akinator issued a public plea for all users to immediately stop using the extension. Trust Wallet, after initial silence, quietly pushed version 2.69 to the Chrome Web Store. Official confirmation arrived on December 25 via a social media post from Binance founder Changpeng "CZ" Zhao, who placed the damages at $7 million and unequivocally stated, "TrustWallet will cover."
Forensic analysis revealed the attack's mechanism: a classic supply chain compromise. Hackers infiltrated the extension's update pipeline, embedding poisonous code into the official version 2.68.0 package.
The core of the malicious payload was hidden within a bundled JavaScript file named `4482.js`. This file contained obfuscated code designed to perform a devastating trick. It posed as benign analytics software but actively monitored for the most sensitive user action: the entry or use of a wallet's secret recovery phrase. Upon detection, it harvested these digital keys and transmitted them to a server at the domain `api.metrics-trustwallet[.]com`.
Critical investigation revealed this domain was registered mere days before the attack and showed no legitimate affiliation with Trust Wallet. It was a perfect trap: the malicious code, operating from within the trusted extension, bypassed user suspicion and exfiltrated the very data that would grant attackers full control over wallets.
Demonstrating ruthless efficiency, the threat actors launched a parallel phishing offensive to exploit public confusion. As warnings circulated online, fraudulent social media accounts directed distressed users to a spoofed website, `fix-trustwallet[.]com`.
The site expertly mimicked Trust Wallet's branding and promised a critical security patch for the vulnerability. Users who clicked "Update" were presented with a form blatantly requesting their secret recovery phrase. This attempt to double-dip—stealing from both the compromised extension's victims and the careful users seeking a fix—highlights the attackers' calculated cruelty. WHOIS data links this phishing domain to the malicious `metrics` domain, suggesting a single coordinated actor behind both schemes.
CZ's guarantee of reimbursement ("User funds are SAFU") addresses the immediate financial loss but not the deeper breach of trust. This incident spotlights the inherent risks of the browser extension wallet model. Extensions, by design, possess high privileges to interact with websites and blockchain networks, but this also creates a broad and attractive attack surface. A compromised extension becomes a Trojan horse operating inside the user's browser, capable of observing every action and stealing every secret.
The attack raises profound questions for the entire ecosystem: How did a malicious update pass internal security checks at Trust Wallet? What safeguards failed in the Chrome Web Store's review process? This event forces a reevaluation of where and how we store digital value, pushing the conversation toward more isolated and secure solutions like hardware wallets for significant holdings.
For users navigating this new reality, specific and immediate actions are necessary. First, any individual using the Trust Wallet Chrome extension must verify they are running version 2.69 or newer. If the extension is still at version 2.68, they must not open it and should update immediately through the official Chrome Web Store.
The fundamental rule of cryptocurrency remains paramount:a secret recovery phrase must never be entered anywhere other than the official wallet interface. No legitimate update, website, or customer support representative will ever ask for it. Anyone who entered their phrase into the malicious extension or any website must consider that phrase permanently compromised. The only recourse is to move all assets to a new wallet generated from a brand-new, offline-created seed phrase*.
This event is a sobering reminder that in the digital asset space, security is a relentless practice. It underscores the need for skepticism toward urgent updates, the importance of using hardware wallets for substantial funds, and the critical habit of always verifying official communication channels. The $7 million stolen on Christmas Eve is more than a statistic; it is the price of a lesson in where our trust truly lies in the architecture of the digital future.

Millions of driver's license records were exposed in a massive data breach, raising identity theft risks and highlighting critical data security failures.