Trust Wallet browser extension attacked with losses exceeding $6 million, official patch urgently released

The attacker began preparations at least as early as December 8, successfully implanted a backdoor on December 22, and started transferring funds on Christmas Day, December 25.

Written by: ChandlerZ, Foresight News

On the morning of December 26, Trust Wallet issued a security alert, confirming that version 2.68 of the Trust Wallet browser extension contains a security vulnerability. Users of version 2.68 should immediately disable the extension and upgrade to version 2.69 via the official Chrome Web Store link.

According to monitoring by PeckShield, hackers exploiting the Trust Wallet vulnerability have stolen over $6 million in crypto assets from victims.

Currently, about $2.8 million of the stolen funds remain in the hacker's wallet (Bitcoin / EVM / Solana), while over $4 million in crypto assets have been transferred to centralized exchanges, specifically: approximately $3.3 million to ChangeNOW, about $340,000 to FixedFloat, and around $447,000 to Kucoin.

As the number of affected users surged, code audits targeting Trust Wallet version 2.68 were promptly launched. Security analysis team SlowMist, by comparing the source code differences between 2.68.0 (the compromised version) and 2.69.0 (the patched version), discovered that the hacker had implanted seemingly legitimate data collection code, turning the official plugin into a privacy-stealing backdoor.

Analysis: Trust Wallet-Related Developer Devices or Code Repositories May Have Been Compromised

According to the SlowMist security team, the core vector of this attack was confirmed to be version 2.68.0 of the Trust Wallet browser extension. By comparing it with the patched 2.69.0 version, security personnel found a highly disguised piece of malicious code in the old version, as shown in the images below.

The backdoor code added PostHog to collect various private information from wallet users (including mnemonic phrases) and sent it to the attacker's server at api.metrics-trustwallet[.]com.

Based on code changes and on-chain activity, SlowMist provided an estimated timeline for the attack:

• December 8: The attacker began relevant preparations;
• December 22: Successfully launched the backdoored 2.68 version;
• December 25: Taking advantage of the Christmas holiday, the attacker began transferring funds using stolen mnemonic phrases, after which the incident was exposed.

Additionally, SlowMist's analysis suggests that the attacker is very familiar with the Trust Wallet extension's source code. Notably, the current patched version (2.69.0) has cut off the malicious transmission but has not removed the PostHog JS library.

At the same time, SlowMist's Chief Information Security Officer, 23pds, posted on social media, stating, "Based on SlowMist's analysis, there is reason to believe that devices or code repositories related to Trust Wallet developers may have been compromised by the attacker. Please immediately disconnect from the internet and inspect relevant personnel's devices." He pointed out, "Users affected by the Trust Wallet version must disconnect from the internet before exporting mnemonic phrases to transfer assets. Otherwise, opening the wallet online will result in asset theft. Those with mnemonic backups should transfer assets first, then upgrade the wallet."

Frequent Security Incidents Involving Extensions

He also noted that the attacker seems very familiar with the Trust Wallet extension source code and implanted PostHog JS to collect various wallet user information. Currently, the Trust Wallet patched version has not removed PostHog JS.

This official Trust Wallet version turning into a trojan has reminded the market of several high-risk attacks on hot wallet frontends in recent years. From attack methods to vulnerability causes, these cases provide important reference points for understanding this incident.

• When Official Channels Are No Longer Safe

The most similar to this Trust Wallet incident are attacks targeting software supply chains and distribution channels. In such cases, users are victimized not because of any mistake, but precisely because they downloaded "official software."

Ledger Connect Kit Poisoning Incident (December 2023): The hardware wallet giant Ledger's frontend codebase was compromised by hackers through phishing, who uploaded a malicious update package. This led to the frontends of several major dApps, including SushiSwap, being contaminated, popping up fake connection windows. This incident is considered a textbook example of a "supply chain attack," proving that even companies with excellent security reputations can have their Web2 distribution channels (such as NPM) become single points of failure.

Hola VPN and Mega Extension Hijacking (2018): As early as 2018, the Chrome extension developer account of the well-known VPN service Hola was hacked. The hacker pushed an "official update" containing malicious code, specifically monitoring and stealing MyEtherWallet users' private keys.

• Code Defects: The "Naked" Risk of Mnemonics

Besides external poisoning, implementation flaws in how wallets handle sensitive data such as mnemonics and private keys can also lead to large-scale asset losses.

Slope Wallet Logging Sensitive Information Controversy (August 2022): The Solana ecosystem experienced a large-scale crypto theft, with post-incident investigation reports focusing on the Slope wallet. A certain version sent private keys or mnemonic phrases to Sentry services (referring to Sentry services privately deployed by the Slope team, not official Sentry interfaces and services). However, security companies also analyzed that investigations into the Slope wallet app have so far been unable to conclusively prove that the root cause lies with the Slope wallet, and much technical work remains to be done to explain the fundamental cause of the incident.

Trust Wallet Low-Entropy Key Generation Vulnerability (disclosed as CVE-2023-31290, exploitation traceable to 2022/2023): The Trust Wallet browser extension was previously disclosed to have insufficient randomness: attackers could exploit the enumerability of only a 32-bit seed to efficiently identify and derive potentially affected wallet addresses within a certain version range, thereby stealing funds.

• The Battle Between "Official" and "Fake" Plugins

Extension wallets and browser search ecosystems have long been plagued by fake plugins, fake download pages, fake update pop-ups, and fake customer service messages. If users install from unofficial channels or enter mnemonic phrases/private keys on phishing pages, their assets can be instantly wiped out. When even official versions may pose risks, users' security boundaries are further compressed, and secondary scams often surge in the chaos.

As of press time, Trust Wallet has urged all affected users to update their versions as soon as possible. However, with the continued movement of stolen funds on-chain, the aftershocks of this "Christmas Heist" are clearly not over.

Whether it's Slope's plaintext logs or Trust Wallet's malicious backdoor, history repeats itself in astonishing ways. This once again reminds every crypto user not to blindly trust any single software terminal. Regularly check authorizations, diversify asset storage, and remain vigilant about abnormal version updates—these may be the survival rules for traversing the crypto dark forest.