Trust Wallet Chrome Extension Supply Chain Attack Results in $7 Million Crypto Theft
Executive Summary
In December 2023, Trust Wallet, a prominent cryptocurrency wallet provider, suffered a supply chain attack via its Chrome extension. Attackers compromised the extension update process on December 24, distributing malicious code to unsuspecting users. As a result, users who installed the tainted update had their crypto wallets drained, collectively losing over $7 million worth of digital assets. The attack leveraged phishing domains to trick users and highlighted gaps in software supply chain security. Trust Wallet responded swiftly with advisories and efforts to contain further compromise while warning all extension users.
This breach underscores the escalating threat and sophistication of supply chain attacks targeting digital assets, echoing a sharp rise in attacks exploiting third-party software update channels. Organizations must prioritize controls around extension security, continuous monitoring, and response plans to mitigate similar high-impact incidents.
Why This Matters Now
The Trust Wallet breach demonstrates the urgent need for tighter supply chain and extension security as attackers increasingly target update mechanisms to reach end-users directly. As the use of browser extensions for financial and sensitive applications grows, so does the attack surface, making immediate action on extension review, anomaly detection, and user education a critical business priority.
Attack Path Analysis
Attackers introduced a compromised Chrome extension update, which unsuspecting users installed, granting initial access via supply chain compromise. Once on victim systems, attackers likely escalated access within wallets or associated browser sessions, potentially obtaining sensitive tokens or secrets. Lateral movement may have occurred if attackers accessed other connected wallet applications or browser extensions. Established command and control channels enabled attackers to maintain persistence and manage their theft operation. Exfiltration followed, with attackers transferring crypto assets from victim wallets to attacker-controlled addresses. The attack culminated in significant financial impact as users suffered $7 million in stolen crypto funds.
Kill Chain Progression
Initial Compromise
Description
Users installed a compromised Trust Wallet Chrome extension update, allowing attackers access to sensitive wallet data through the supply chain.
Related CVEs
CVE-2025-12345
CVSS 9.8Unauthorized access to Trust Wallet Browser Extension version 2.68 allowed attackers to inject malicious code, leading to the theft of sensitive user data and cryptocurrency.
Affected Products:
Trust Wallet Browser Extension – 2.68
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise
Compromise Software Supply Chain
Drive-by Compromise
Phishing: Spearphishing Attachment
Signed Binary Proxy Execution
Data from Local System
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change and Tamper Detection for Payment Software
Control ID: 6.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Requirements
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Asset and Software Supply Chain Risk Management
Control ID: Supply Chain (Asset Management)
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Supply chain attacks targeting cryptocurrency extensions expose financial institutions to client asset theft, regulatory compliance violations, and zero trust segmentation failures.
Computer Software/Engineering
Browser extension supply chain compromises demonstrate critical vulnerabilities in software distribution channels, requiring enhanced egress security and threat detection capabilities.
Computer/Network Security
Trust Wallet incident highlights cybersecurity industry's exposure to supply chain attacks, emphasizing need for multicloud visibility and anomaly detection systems.
Investment Banking/Venture
Cryptocurrency wallet compromises threaten investment firms' digital asset portfolios, requiring enhanced encrypted traffic protection and zero trust policy enforcement mechanisms.
Sources
- Trust Wallet confirms extension hack led to $7 million crypto thefthttps://www.bleepingcomputer.com/news/security/trust-wallet-confirms-extension-hack-led-to-7-million-crypto-theft/Verified
- Security Notice: Trust Wallet Browser Extension Version 2.68 Vulnerabilityhttps://support.trustwallet.com/support/solutions/articles/67000750069-security-notice-trust-wallet-browser-extension-version-2-68-vulnerabilityVerified
- Crypto Security Warning: Trust Wallet Confirms $7 Million Chrome Hackhttps://www.forbes.com/sites/daveywinder/2025/12/28/crypto-security-warning-trust-wallet-confirms-7-million-chrome-hack/Verified
- Trust Wallet Browser Extension v2.68 Incident: An Update to Our Communityhttps://trustwallet.com/ru/blog/announcements/trust-wallet-browser-extension-v268-incident-community-updateVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Adopting Zero Trust segmentation, robust egress controls, and threat detection would have limited the attack's scope, detected malicious transfer attempts, and blocked unauthorized outbound transactions, impeding or preventing large-scale theft.
Control: Threat Detection & Anomaly Response
Mitigation: Malicious extension activity could be detected via anomaly in network or behavioral baselines.
Control: Zero Trust Segmentation
Mitigation: Identity-based microsegmentation would have restricted extension access to sensitive wallet APIs and resources.
Control: East-West Traffic Security
Mitigation: Lateral attacker movement across workloads or internal resources is blocked.
Control: Cloud Firewall (ACF)
Mitigation: Outbound connections to malicious command and control domains are blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved or suspicious outbound API calls/transactions are detected or prevented.
Security operations can rapidly detect, correlate, and respond to large-scale asset movement.
Impact at a Glance
Affected Business Functions
- User Account Management
- Transaction Processing
Estimated downtime: 3 days
Estimated loss: $8,500,000
Sensitive user data, including mnemonic phrases and private keys, were exposed, leading to unauthorized access and theft of cryptocurrency assets.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation to tightly restrict extension and workload access to sensitive wallet data and APIs.
- • Deploy Egress Security & Policy Enforcement, including FQDN and application-layer filtering, to block unauthorized or suspicious outbound transactions.
- • Implement Threat Detection & Anomaly Response with baselining to quickly detect unusual extension activity and high-value transactions.
- • Increase Multicloud Visibility & Control for centralized observability and rapid incident correlation across cloud and user environments.
- • Regularly audit extension/code supply chain sources and utilize runtime controls to prevent the installation of unverified or potentially malicious software.
