Trust Wallet, one of the most popular self-custody wallets,  is at the center of a brewing scandal.  Trust Wallet funds are vanishing after a Chrome extension update, with on-chain sleuth ZachXBT flagging over $6 million stolen from hundreds of wallets. Trust Wallet quickly confirmed a vulnerability in version 2.68, urging immediate upgrades.

Image Source: Trust Wallet

The Breach Unfolds

Panic hit crypto circles on Christmas morning when users reported their BTC, ETH, and BNB vanishing without a trace. Trust Wallet's browser extension version 2.68, updated just a day prior. On-chain data showed attackers siphoning funds in minutes, with totals climbing past $6 million across multiple addresses.​ ZachXBT flagged the issue early, noting unauthorized outflows hours after the update. Users who imported seed phrases into the extension saw balances zero out instantly, no phishing links, no extra approvals needed. Independent researchers spotted shady code in a file called 4482.js, which beamed sensitive data to a sketchy domain: metrics-trustwallet.com, registered days earlier and now offline.​

Trust Wallet Responds

Trust Wallet confirmed the vulnerability Thursday, pinning it solely on extension v2.68. "Disable it now and upgrade to 2.69 via the official Chrome Web Store," they posted on X, stressing mobile apps and other versions stayed safe. The team promised a full investigation update soon, but the damage was done, funds funneled through attacker wallets in automated sweeps.​ This isn't Trust Wallet's first scare. Back in 2022, a Wallet Core bug cost users $170k, fixed via bug bounties and reimbursements. Ledger even exposed a seed generation flaw earlier this year that could have wiped out millions. Each time, quick patches followed, but trust takes a hit.​

What Went Wrong?

Experts point to a supply-chain attack, where hackers injected malware into the update process. The JavaScript snippet posed as analytics but triggered on seed imports, exfiltrating keys for instant drains. Browser extensions' broad permissions make them prime targets.​ On-chain patterns screamed automation: no user sign-offs, just rapid consolidations to hacker hubs. Affected wallets spanned chains, hitting holiday traders hardest.​

How to Protect Yourself Now

1. Uninstall v2.68 immediately.

2. Grab v2.69 only from chrome.google.com/webstore.

3. Revoke all permissions and check the tx history on Etherscan/BscScan.

4. Never import seeds into browsers again.

5. Enable 2FA everywhere and watch for unsolicited approvals.​

6. Community tips: Move assets to fresh wallets, avoid shady dApps, and verify every extension source. Trust Wallet urged the same, but skeptics demand compensation details.​

Wake-Up Call for Wallets

This Christmas hack exposes crypto's soft underbelly, browser extensions as hacker playgrounds. With DeFi booming, one bad update can torch millions. Trust Wallet, with 100M+ downloads, must tighten code reviews and audits.​ Regulators might circle too, as supply-chain risks echo SolarWinds or last year's wallet flaws. Users, stay vigilant: Your seed is your kingdom. Diversify storage, skip hot extensions for big holds, and follow sleuths like ZachXBT.