During the recent Christmas holiday, Trust Wallet, the widely-used non-custodial wallet, confirmed a serious supply chain attack. Official reports have verified that the security breach resulted in approximately $7 million in losses, directly impacting 2,596 wallet addresses.
Despite the severity of the incident, Trust Wallet leadership and Binance co-founder Changpeng Zhao (CZ) have issued a clear commitment: Trust Wallet will cover all verified losses, ensuring that user funds remain "SAFU."
-
Incident Analysis: How the $7 Million Exploit Occurred
The root cause of the breach has been traced to Trust Wallet Chrome Browser Extension version 2.68.
-
The Attack Vector: Attackers managed to compromise the distribution channel, potentially through a leaked Chrome Web Store API key, to push a malicious update.
-
Technical Details: Security firms like SlowMist identified that the attackers implanted a backdoor in the extension's code. This malicious script targeted mnemonic phrases and private keys, exfiltrating sensitive data to an attacker-controlled server using the legitimate posthog-js analytics library as a cover.
-
Scope of Impact: The breach was highly specific, only affecting desktop users who used or logged into the v2.68 extension between December 24 and December 26, 2025. Mobile app users and those on other browser versions were not impacted.
-
The Trust Wallet Compensation Plan: Processing 2,596 Legitimate Claims
Trust Wallet CEO Eowyn Chen recently provided an update on the reimbursement roadmap. While 2,596 affected wallet addresses have been identified, the team has already received nearly 5,000 claims, many of which appear to be duplicates or fraudulent attempts to exploit the refund process.
Guide for Affected Users to Claim Reimbursement:
-
Verification Phase: The team is currently performing on-chain forensics to verify every claim against the identified list of compromised addresses.
-
Submission Portal: Victims are instructed to use the official Trust Wallet Support Form to submit their details.
-
Required Information: You will need to provide your contact email, the compromised wallet address, the attacker's destination address, and the specific transaction hashes (TXIDs) of the unauthorized transfers.
-
Essential Security Measures for Trust Wallet Users
In light of this recent security breach, all users should take immediate steps to secure their digital assets:
-
Update Immediately: Ensure your extension is updated to v2.69 or higher. Version 2.68 should be disabled and removed immediately.
-
Migrate Funds: Security experts recommend that anyone who interacted with the compromised v2.68 version should create a brand-new wallet address (with a new recovery phrase) and move any remaining funds there.
-
Stay Alert for Scams: Be wary of fake "compensation" websites or Telegram accounts. Trust Wallet will never ask for your recovery phrase or private keys to process a refund.
-
Industry Impact: The Resilience of Non-Custodial Wallets
This incident highlights a critical vulnerability in the distribution of non-custodial tools. While the wallet itself is decentralized, the "supply chain" (like the Chrome Web Store) remains a centralized point of failure. However, Trust Wallet's rapid response and full-reimbursement pledge have set a new industry standard for platform accountability.
As we move into a more regulated era, the ability of a provider to offer a full compensation commitment after a major exploit may become a key factor in maintaining user trust and long-term adoption.
Summary:
Trust Wallet’s proactive approach to the 2,596 affected wallets has significantly calmed the community. By identifying the exact vulnerability in the Trust Wallet browser extension security and providing a clear path to recovery, the platform is working to restore its reputation as a leading gateway to Web3.