Trust Wallet told users to disable its Chrome browser extension version 2.68 after the company acknowledged a security incident and pushed version 2.69 on Dec. 25, following reports of wallet drains tied to the Dec. 24 update.
According to BleepingComputer, victims and researchers began flagging thefts soon after 2.68 rolled out. Early public tallies placed losses in a $6 million to $7 million-plus range across multiple chains.
The Chrome Web Store listing shows Trust Wallet extension version 2.69 as “Updated: December 25, 2025,” anchoring the vendor’s patch timing to the day the incident entered wider circulation.
The same listing displays about 1,000,000 users. That frames a worst-case ceiling for reach.
Practical exposure hinges on how many people installed 2.68 and entered sensitive data while it was active.
Trust Wallet’s guidance focused on the browser extension release. The outlet said mobile users and other versions of the extension were unaffected.
Reporting to date has concentrated on a specific user action during the 2.68 window.
Researchers flag elevated risks tied to Trust Wallet browser extension update
BleepingComputer said researchers and incident trackers tied the highest risk to users who imported or entered a seed phrase after installing the affected version. A seed phrase can unlock current and future addresses derived from it.
The outlet also reported that researchers reviewing the 2.68 bundle flagged suspicious logic in a JavaScript file, including references to a file labeled “4482.js.”
They said the logic could transmit wallet secrets to an external host. Researchers also cautioned that technical indicators were still being assembled as investigators published their findings.
The same coverage warned of secondary scams, including copycat “fix” domains. Those lures attempt to trick users into handing over recovery phrases under the guise of remediation.
For users, the difference between upgrading and remediating matters.
Updating to 2.69 can remove suspected malicious or unsafe behavior from the extension going forward. It does not automatically protect assets if a seed phrase or private key was already exposed.
In that case, standard incident response steps include moving funds to new addresses created from a new seed phrase. Users should also check for and revoke token approvals where feasible.
Users should treat any system that handled the phrase as suspect until it is rebuilt or verified clean.
Those actions can be operationally costly for retail users. They require re-establishing positions across chains and applications.
In some cases, they also force a choice between speed and precision when gas costs and bridging risks are part of the recovery path.
The episode also puts focus on the browser extension trust model.
Extensions sit at a sensitive seam between web apps and signing flows
Any compromise can target the same inputs users rely on to verify a transaction.
Academic research on Chrome Web Store extension detection has described how malicious or compromised extensions can evade automated review. It has also described how detection can degrade as attacker tactics change over time.
According to an arXiv paper on supervised machine-learning detection of malicious extensions, “concept drift” and evolving behaviors can erode the effectiveness of static approaches. That point becomes more concrete when a wallet extension update is suspected of harvesting secrets through obfuscated client-side logic.
Trust Wallet’s next disclosures will set the boundaries for how the story settles.
A vendor post-mortem that documents root cause, publishes verified indicators (domains, hashes, bundle identifiers), and clarifies scope would help wallet providers, exchanges, and security teams develop targeted checks and user instructions.
Absent that, incident totals tend to remain unstable. Victim reports can arrive late, on-chain clustering can be refined, and investigators can still be resolving whether separate drainers share infrastructure or are opportunistic copycats.
Token markets reflected the news with movement but not a single-direction repricing.
The latest quoted figures provided for Trust Wallet Token (TWT) showed a last price of $0.83487, up $0.01 (0.02%) from the prior close. The figures showed an intraday high of $0.8483 and an intraday dip to $0.767355.
| TWT metric | Value (USD) |
|---|---|
| Last price | $0.83487 |
| Change vs. prior close | +$0.01 (+0.02%) |
| Intraday high | $0.8483 |
| Intraday low | $0.767355 |
Loss accounting remains in flux. The current best-public anchor is the $6 million to $7 million-plus range reported in the first 48 to 72 hours after 2.68 circulated.
That range can still shift for routine reasons in theft investigations
Those include delayed victim reporting, address reclassification, and improved visibility into cross-chain swaps and cash-out routes.
A practical forward range over the next two to eight weeks can be framed as scenarios tied to measurable swing variables. Those include whether the compromise path was confined to seed entry on 2.68, whether additional capture paths are confirmed, and how quickly copycat “fix” lures are removed.
| Scenario (next 2–8 weeks) | Working loss range | Share |
|---|---|---|
| Contained | $6M–$12M | 40% |
| Moderate expansion | $15M–$25M | 35% |
| Severe revision | > $25M | 25% |
The incident lands amid broader scrutiny of how retail-facing crypto software handles secrets on general-purpose devices.
2025 theft reporting has been large enough to draw policy and platform attention.
Incidents tied to software distribution also reinforce calls for build integrity controls, including reproducible builds, split-key signing, and clearer rollback options when a hotfix is needed.
For wallet extensions, the near-term practical outcome is simpler. Users must decide whether they ever entered a seed phrase while 2.68 was installed, because that single action determines whether upgrading is enough or whether they need to rotate secrets and move funds.
Trust Wallet’s guidance remains to disable the 2.68 extension and upgrade to 2.69 from the Chrome Web Store.
Users who imported or entered a seed phrase while running 2.68 should treat that seed as compromised and migrate assets to a new wallet.
Trust Wallet has now confirmed that approximately $7 million was impacted in the v2.68 Chrome extension incident and that it will refund all affected users.
In a statement posted on X, the company said it is finalizing the refund process and will share instructions on next steps “soon.” Trust Wallet also urged users not to interact with messages that do not come from its official channels, warning that scammers may attempt to impersonate the team during the remediation effort.
Source: https://cryptoslate.com/trust-wallet-just-issued-an-emergency-warning-for-chrome-users-after-a-hidden-script-was-caught-harvesting-private-keys/
