- Trust Wallet extension v2.68 linked to suspected supply-chain compromise after Dec. 24 update.
- Users reported wallet drains after seed imports; losses estimated above $6M.
- Trust Wallet confirmed issue, urged upgrade to v2.69; mobile apps not affected.
Security concerns surfaced around the Trust Wallet browser extension after reports linked a recent update to possible unauthorized access and wallet drains, prompting warnings from blockchain investigators and security-focused developers. The incident has focused attention on version 2.68 of the extension, which Trust Wallet later confirmed was affected.
The issue arose following alerts from blockchain investigator ZachXBT, who stated that he had received messages from hundreds of users claiming their wallet balances had dropped after importing seed phrases into the browser extension.
According to technical reviews shared by developers, a browser extension update released on 24 December may have introduced malicious code through a suspected supply-chain compromise.
Researchers examining the update allege that a newly added JavaScript file was embedded in the extension and appeared to be disguised as analytics functionality. The file reportedly activated only when a user imported a seed phrase, after which it transmitted sensitive wallet-related data to an external domain designed to resemble official Trust Wallet infrastructure.
Indicators of a Potential Supply-Chain Compromise
The external domain referenced in the reports was reportedly registered only days before the incident and later went offline. Analysts noted that the domain’s recent creation, combined with the timing of the update, raised concerns that the incident may be the result of a coordinated supply-chain attack rather than isolated phishing attempts or user error.
On-chain analysis cited by community researchers showed that compromised funds were routed through multiple addresses. This pattern, they said, is commonly associated with automated exploitation methods. Public estimates shared online suggested losses may exceed $6 million, although these figures have not been independently verified.
Trust Wallet Confirms Scope and Issues Fix
Later on 25 December, Trust Wallet confirmed that the security incident was limited to browser extension version 2.68. In a statement, the company advised users to disable that version immediately and upgrade to version 2.69, which it said contains a fix. Trust Wallet added that no other browser extension versions and none of its mobile applications were affected.
The company also stated that its support team had begun contacting impacted users and was investigating the incident. No details were provided regarding the technical root cause or potential compensation.
Related: Trust Wallet Restores Balances After Data Sync Glitch; Funds Safe
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
Source: https://coinedition.com/trust-wallet-confirms-extension-v2-68-security-issue-after-wallet-drains/
