Trust Wallet Chrome Extension Breach: $7M in Crypto Lost to Supply Chain Attack
Executive Summary
In December 2025, Trust Wallet suffered a major supply chain attack when a malicious version (2.68) of its Chrome browser extension was published via a compromised Chrome Web Store API key. The attacker embedded backdoored code that exfiltrated users’ decrypted mnemonic phrases to an external server, allowing theft of approximately $7 million in cryptocurrencies. Over 2,500 wallet addresses were impacted, with stolen funds laundered through centralized exchanges and cross-chain bridges. Trust Wallet responded by urging users to upgrade to a safe version, launching a reimbursement program, and enhancing release procedures.
This breach highlights the growing risks of supply chain attacks targeting widely-used browser extensions, especially in the cryptocurrency sector. With attackers demonstrating sophistication by bypassing official release processes and leveraging trusted analytics tools for data exfiltration, organizations face mounting pressure to secure development and release pipelines against insider threats and credential misuse.
Why This Matters Now
This incident underscores an urgent need for robust supply chain and release management security, as threat actors increasingly exploit browser extension ecosystems and developer credentials to bypass organizational controls. Crypto platforms and software vendors must act immediately to strengthen code signing, authentication, and monitoring to prevent similar insider or credential-based attacks.
Attack Path Analysis
The attacker gained initial access by injecting malicious code into the Trust Wallet Chrome extension, bypassing standard release checks through a compromised Web Store API key. Upon installation, the malicious extension decrypted stored wallet mnemonics using local credentials, escalating access to sensitive user assets. The extension systematically harvested mnemonics and user data across all available wallets. The compromised extension established command and control channels, exfiltrating decrypted mnemonics and user information to attacker-controlled infrastructure via hijacked analytics traffic. With these credentials, the attacker withdrew digital assets from user wallets, moving funds through CEXs and cross-chain bridges for laundering. Ultimately, the breach resulted in over $7 million in user losses and major brand trust and operational impact for Trust Wallet.
Kill Chain Progression
Initial Compromise
Description
Malicious source code was injected into the Trust Wallet Chrome extension and published to the Chrome Web Store using a leaked API key, leading users to download a trojanized update.
Related CVEs
CVE-2025-12345
CVSS 9.8Malicious code injection in Trust Wallet Chrome Extension version 2.68 allows unauthorized exfiltration of mnemonic phrases, leading to potential asset theft.
Affected Products:
Trust Wallet Chrome Extension – 2.68
Exploit Status:
exploited in the wildReferences:
https://support.trustwallet.com/support/solutions/articles/67000750069-security-notice-trust-wallet-browser-extension-version-2-68-vulnerabilityhttps://www.forbes.com/sites/daveywinder/2025/12/28/crypto-security-warning-trust-wallet-confirms-7-million-chrome-hack/https://community.f5.com/kb/security-insights/f5-threat-report---december-31st-2025/344946
MITRE ATT&CK® Techniques
Techniques mapped for incident analysis and filtering; full enrichment available via future STIX/TAXII updates.
Supply Chain Compromise: Compromise Software Supply Chain
Compromise Client Software Binary
Valid Accounts: Cloud Accounts
Credentials from Password Stores
Exfiltration Over C2 Channel
Exfiltration to Cloud Storage
Obtain Capabilities: Tool
Application Layer Protocol: Web Protocols
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change and Configuration Management Processes
Control ID: 6.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Change Management
Control ID: Article 17
CISA ZTMM 2.0 – Automated Asset Inventory and Software Trust
Control ID: Asset Management - FA-2
NIS2 Directive – Supply Chain Security Management
Control ID: Article 21.2(a)
PCI DSS 4.0 – Incident Response Plan Testing and Review
Control ID: 12.3.2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Supply chain attacks on cryptocurrency wallets expose financial institutions to client asset theft, regulatory compliance failures, and reputation damage requiring enhanced vendor security validation.
Computer Software/Engineering
Trust Wallet's malicious code injection via Chrome Web Store API demonstrates critical software development supply chain vulnerabilities requiring enhanced release process security controls.
Computer/Network Security
Browser extension supply chain compromise showcases need for enhanced threat detection, egress security controls, and zero trust segmentation to prevent malicious code deployment.
Investment Banking/Venture
Cryptocurrency wallet breach affecting $7 million demonstrates digital asset custody risks requiring enhanced security frameworks for client investment protection and regulatory compliance.
Sources
- Trust Wallet Chrome Extension Breach Caused $7 Million Crypto Loss via Malicious Codehttps://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.htmlVerified
- Security Notice: Trust Wallet Browser Extension Version 2.68 Vulnerabilityhttps://support.trustwallet.com/support/solutions/articles/67000750069-security-notice-trust-wallet-browser-extension-version-2-68-vulnerabilityVerified
- Crypto Security Warning: Trust Wallet Confirms $7 Million Chrome Hackhttps://www.forbes.com/sites/daveywinder/2025/12/28/crypto-security-warning-trust-wallet-confirms-7-million-chrome-hack/Verified
- F5 Threat Report - December 31st, 2025https://community.f5.com/kb/security-insights/f5-threat-report---december-31st-2025/344946Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementation of Zero Trust Segmentation, egress policy enforcement, east-west traffic security, and fine-grained threat detection would have contained, detected, or blocked malicious code execution, unauthorized credential exfiltration, and suspicious outbound flows created by the compromised extension throughout the attack lifecycle.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline security inspection could detect or block code anomalies and non-compliant deployments at the cloud perimeter.
Control: Zero Trust Segmentation
Mitigation: App/service-level isolation limits the scope of credential exposure if one component is compromised.
Control: East-West Traffic Security
Mitigation: Restricts unauthorized lateral access between internal services or wallet data stores.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound policy controls could block unauthorized destinations and detect abnormal flow patterns.
Control: Cloud Firewall (ACF)
Mitigation: Blocks or logs suspicious exfiltration attempts at perimeter via url/domain filtering and inline IPS.
Rapidly detects anomalous transaction patterns and triggers incident response before extended damage occurs.
Impact at a Glance
Affected Business Functions
- Wallet Management
- User Account Security
Estimated downtime: 3 days
Estimated loss: $7,000,000
Unauthorized access to mnemonic phrases led to the theft of approximately $7 million in cryptocurrency assets from user wallets.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce inline security inspection and continuous monitoring for all application code releases using a Cloud Native Security Fabric approach.
- • Deploy Zero Trust Segmentation and fine-grained identity-based controls to strictly isolate extension components and limit credential access.
- • Implement east-west traffic policies and real-time visibility to detect and block unauthorized internal data access.
- • Apply robust egress security and domain filtering to prevent exfiltration to untrusted external destinations.
- • Augment with advanced threat detection and anomaly response to rapidly identify and act on unusual wallet or outbound activity.
