Trust Wallet breach exposes supply-chain and verification risks for crypto SMEs

A December 2025 hack of Trust Wallet’s Chrome extension resulted in the theft of roughly $7 million after attackers pushed a malicious update between Dec. 24 and Dec. 26 that affected users running version 2.68. Security reports say 2,596 verified wallet addresses were impacted and nearly 5,000 reimbursement claims were later filed.

Security experts determined attackers had inserted malicious JavaScript into the extension to capture recovery phrases and private keys, and the campaign likely used a stolen Chrome Web Store API key to distribute the update through official channels. Once private keys were compromised, funds were withdrawn and routed through centralized exchanges and cross-chain bridges, complicating recovery.

Trust Wallet disabled the compromised extension version, advised users to update to v2.69 to remove the code, opened a refund portal and set up a verification process; CEO Eowyn Chen stressed the need for accurate user verification during refunds. The incident highlights vulnerabilities that also affect crypto-friendly SMEs: supply-chain and update risks from extensions, SDKs and APIs; excessive reliance on hot wallets; and the operational strain caused by weak or underprepared verification processes.

Observers noted many victims did not realise browser extensions act as hot wallets, renewing debate about hardware wallets and offline storage as lower-risk options for larger holdings.

Key Topics

Crypto, Trust Wallet, Chrome Extension, Chrome Web Store, Eowyn Chen, Hot Wallets