Trust Wallet’s Chrome extension was compromised in a supply-chain incident that began surfacing on December 25, 2025, with an estimated $7 million stolen from users. Binance co-founder Changpeng Zhao (CZ) said affected users will be reimbursed and raised the possibility of insider involvement. The incident targeted Chrome extension version 2.68 and triggered an emergency upgrade to version 2.69.
Security researchers traced the breach to a malicious extension update distributed through the official Chrome Web Store. The injected code harvested sensitive wallet data, including private keys and seed phrases, when wallets were unlocked or interacted with, enabling rapid transfers to attacker-controlled addresses across Ethereum, Bitcoin, and Solana. Mobile app users and users on other extension versions were not affected.
Most likely.
— CZ 🔶 BNB (@cz_binance) December 26, 2025
Timeline and attribution questions
Investigators observed preparatory activity in early December, with the active compromise unfolding on December 25. Trust Wallet instructed users running version 2.68 to disable the extension immediately and upgrade to version 2.69 or later, warning that continued use of the vulnerable build could result in further drains. CZ confirmed the $7 million loss on December 26 and pledged full reimbursement from a dedicated user-protection fund, describing affected funds as “SAFU.”
Attention has also shifted to how the compromised update bypassed internal distribution controls. Because the malicious code appeared inside an official release delivered through normal channels, investigators are examining scenarios such as compromised developer credentials or direct internal access. CZ described the circumvention of internal security protocols as suggesting a high probability of insider involvement.
Controls and user mitigations
For wallet maintainers and enterprise teams, the incident reinforces concrete supply-chain defenses. Recommended priorities include enforcing multi-factor authentication for developer accounts, applying zero-trust access controls, hardening update-signing and release pipelines, and increasing the frequency of code audits and integrity checks.
The response emphasizes reducing exposure to extension-based key-handling. The recommended mitigations include delaying or independently verifying extension updates, avoiding seed-phrase imports into browser extensions, and using hardware wallets for larger balances. The episode illustrates how a trusted distribution channel can become a single point of failure when a malicious update reaches users at scale.
