Plugin Wallet Security Incident Overview: Plagued by Counterfeit Software and Phishing Attacks, Direct Official Vulnerabilities Are Few

BlockBeats News, December 26th. This morning, Trust Wallet officially issued a security confirming a security vulnerability in Trust Wallet browser extension version 2.68. According to on-chain detective ZachXBT's monitoring, hundreds of Trust Wallet users have already had their funds stolen, with losses totaling at least $6 million. Several mainstream browser extensions have experienced the following security incidents:

The Trust Wallet browser extension was previously found to have a WebAssembly vulnerability in November 2022, affecting only new wallet addresses created between November 14th and 23rd, 2022. This led to approximately $170,000 being stolen. Trust Wallet discovered the issue through a bug bounty program, patched the vulnerability, and provided full compensation to affected users.

MetaMask experienced a "Demonic" vulnerability in 2022, affecting older versions before 10.11.3, where private keys could be exposed in the browser's memory. However, there were no known large-scale fund losses. Subsequently, between 2023 and 2025, the MetaMask official wallet extension operated securely. Still, it was frequently impacted by fake extension programs. A Chainalysis report showed a significant increase in MetaMask user abnormal theft events in 2025, primarily due to counterfeit malicious software and phishing rather than the security of the plugin wallet itself. MetaMask now releases monthly security reports on this matter. However, as a popular Ethereum plugin wallet, it remains a primary target for counterfeiting.

Phantom (the main Solana wallet extension) also faced the "Demonic" vulnerability in 2022 without any known major fund losses. In early 2025, a security controversy involving the Phantom wallet extension emerged when a user lost $500,000 due to private keys being stored without Phantom encryption in memory, leading to a hacker attack. A class-action lawsuit was filed in the Southern District of New York. The Phantom team strongly denied all charges, stating that the lawsuit was "baseless" and emphasizing that Phantom is a non-custodial wallet, with users bearing the responsibility for fund security.

Rabby Wallet (DeFi-friendly extension) suffered a hack in 2022 due to a Rabby Swap vulnerability, resulting in hackers stealing approximately $200,000 in crypto assets. The vulnerability originated not from the plugin itself but from the built-in Swap feature.

The most common way for browser extension wallets to be compromised is through counterfeit app downloads. In 2025, there were multiple such incidents erupting in the Firefox store, affecting multiple mainstream crypto plugin wallets like MetaMask, Phantom, Trust Wallet, etc. In contrast, direct official vulnerabilities in plugins are relatively rare. Users are advised to only download from the official Chrome Web Store to ensure fund security.