JA's Lookout

Trust Wallet Chrome Extension Hack Drains $7M

Trust Wallet has officially opened a compensation process for users impacted by a security breach tied to its Chrome browser extension — a breach that drained approximately $7 million from hundreds of wallets across multiple blockchains.

The incident highlights a reality many crypto users still underestimate: browser-based wallets expand the attack surface, even when the underlying wallet provider is legitimate.

What Happened

On December 24, a malicious update was published to version 2.68 of the Trust Wallet Chrome extension. Within hours, users began reporting unexplained fund drains.

The issue was first flagged publicly by onchain investigator ZachXBT, who warned that wallets interacting with the extension shortly after the update were being compromised.

Trust Wallet later confirmed that:

  • A leaked Chrome Web Store API key allowed attackers to bypass internal release controls
  • The malicious code harvested wallet seed phrases
  • The exploit affected browser extension users only — mobile apps were not impacted

A patched version (v2.69) was released on December 25.

Scale of the Damage

According to Trust Wallet and blockchain security firms:

  • ~$7 million in assets were stolen
  • Funds spanned Bitcoin, Ethereum, Solana, and other chains
  • Over $4 million was already routed through centralized exchanges
  • Roughly $2.8 million remained in attacker-controlled wallets at last check

Trust Wallet’s Chrome extension reportedly has ~1 million users, meaning the attack window was narrow — but devastating for those caught in it.

Compensation: What Users Need to Know

Trust Wallet has launched an official claims process via its support portal. Affected users must submit:

  • Email address and country of residence
  • Compromised wallet address(es)
  • Attacker receiving address(es)
  • Transaction hashes linked to the theft

Trust Wallet says all verified losses will be reimbursed.

Changpeng Zhao, whose company Binance acquired Trust Wallet in 2018, publicly confirmed reimbursement:

“So far, $7m affected by this hack. TrustWallet will cover.”

Users are also being warned about fake compensation forms and impersonation scams circulating in the aftermath.

The Uncomfortable Part

This wasn’t a smart contract exploit.
This wasn’t user error.
This wasn’t a phishing link.

This was a supply-chain attack delivered through a trusted browser extension update.

That’s the uncomfortable part.

Browser wallets sit at the intersection of:

  • Hot keys
  • Third-party update infrastructure
  • Web permissions
  • Open-source dependencies

When something goes wrong, keys are already exposed — and compensation, while welcome, is damage control, not prevention.

The Bigger Trend

This incident fits into a broader pattern:

  • Personal wallet compromises are rising sharply
  • Attackers are shifting from DeFi exploits to endpoint attacks
  • Browser extensions are increasingly targeted due to scale and convenience

Chainalysis estimates crypto theft reached $6.75B in 2025, with personal wallet compromises more than doubling year over year.

Convenience keeps winning — until it doesn’t.

The Hard Truth

Trust Wallet handled the aftermath responsibly.
The reimbursement matters.
The transparency matters.

But the takeaway is simple:

Anything that keeps your private keys connected to the internet remains a risk — no matter how reputable the brand is.

That’s not fear. That’s architecture.

More Blogs:

Share this:

Like this:

Like Loading...

Discover more from J.A Lookout

Subscribe now to keep reading and get access to the full archive.

Continue reading