- Trust Wallet Chrome extension 2.68 linked to wallet drains across multiple blockchains, prompting urgent security alerts.
- Users reported instant losses after importing seed phrases; one post cited a $700K drain.
- Security fix 2.69 released; users urged to move funds, verify software, and avoid risky browser extensions.
A large number of cryptocurrency users reported unauthorized wallet drains on Christmas Day, raising alarms throughout the self-custody community. The issue was first brought to light by on-chain investigator ZachXBT, after he received several independent reports from impacted users and issued a public alert.
In a matter of hours, warnings spread like wildfire on Telegram and X, with initial indications pointing to a possible large-scale security incident: early signs that losses could be upwards of $6 million across several blockchains, including EVM-compatible networks, Bitcoin, and Solana.
It thus began as an isolated incident and quickly blew up into a wider investigation involving supply-chain compromise indicators.
Trust Wallet Browser Extension Under Scrutiny
Reports connected the drains to Trust Wallet’s Chrome browser extension. ZachXBT emphasized the timing coincided with version 2.68, released December 24. Researchers examining the extension noted a JavaScript file, 4482.js, with undocumented code.
They claimed it monitored wallet activity and transmitted data to a domain recently registered as metrics-trustwallet[.]com. Consequently, some suggested a possible supply-chain compromise, although official verification remained pending. Users reported funds draining almost immediately after importing seed phrases into the extension. One account alone claimed a $700,000 loss.
Official Response and Security Guidance
Trust Wallet confirmed version 2.68 faced a security issue and urged users to disable it immediately. They released version 2.69 as a fix and reassured mobile users were unaffected.
Security researchers recommended moving remaining funds to fresh wallets, avoiding unnecessary extensions, and verifying software exclusively through official sources. Additionally, disconnecting affected machines from the internet remains a precautionary measure.
