Trust Wallet has disclosed a security incident affecting version 2.68 of its Google Chrome browser extension, resulting in the theft of approximately $7 million in cryptocurrency.

The incident stemmed from malicious code embedded directly into the extension’s internal logic, enabling attackers to exfiltrate users’ mnemonic recovery phrases. Trust Wallet has released version 2.69 to remediate the issue and pledged to refund affected users.

Trust Wallet is a multi-chain, non-custodial cryptocurrency wallet with millions of users across mobile and browser platforms.

Browser extensions are a particularly sensitive attack surface in crypto ecosystems because they often manage private keys and recovery phrases directly within the user’s environment.

Trust Wallet confirmed that only Chrome extension version 2.68 was impacted.

Attackers were able to extract mnemonic phrases from users’ wallets, leading to unauthorized asset transfers totaling roughly $7 million. Mobile apps and other browser extensions were not affected.

Trust Wallet responded by pulling the compromised version, releasing an updated build, and warning users to avoid unsolicited messages not originating from official channels.

Blockchain security firm SlowMist determined that malicious logic was introduced into the extension’s analytics workflow.

The compromised code iterated through all wallets stored in the extension and prompted mnemonic phrase access during wallet unlock. Once decrypted using the user’s password, the mnemonic was transmitted to an attacker-controlled endpoint.

The attacker used a domain registered shortly before the campaign began and leveraged the legitimate open-source analytics library PostHog to blend exfiltration traffic into normal telemetry flows.

Stolen assets included Bitcoin, Ethereum, and Solana, with hundreds of victims identified.

According to blockchain investigators including ZachXBT and PeckShield, a large portion of the funds were laundered through centralized exchanges and cross-chain bridges, complicating recovery efforts.

Approximately $2.8 million remains in attacker-controlled wallets, while more than $4 million has already passed through exchanges.

This incident highlights a critical escalation in supply-chain risk within the crypto ecosystem.

Unlike typical attacks involving malicious third-party dependencies, this compromise originated from direct modification of first-party application code. Such attacks are significantly harder to detect and bypass many traditional security controls.

SlowMist noted that the attacker abused legitimate analytics tooling rather than introducing obvious malware.

Changpeng Zhao, whose company Binance owns Trust Wallet, suggested the breach may involve insider access or compromised developer environments, though investigations remain ongoing.