Trust Wallet initiates compensation process, bearing the full loss of users' wallets amounting to 7 million USD

Trust Wallet initiates the compensation process for victims of the security incident involving Chrome browser extension v2.68. The recent hacker attack resulted in the loss of hundreds of wallets, amounting to approximately 7 million USD in digital assets. Binance founder CZ confirms that the company will cover all losses of affected users, and victims can submit claims through the official website.

Trust Wallet API Key Leak Triggers Supply Chain Attack

Trust Wallet CEO Eowyn Chen revealed the core method of the attack during subsequent investigations. The hacker obtained the Trust Wallet Chrome Web Store API key, a critical credential originally used solely by the internal team for releasing updates. The attacker used this “master key” to bypass Trust Wallet’s standard internal release process at 12:32 PM UTC on December 24 and directly pushed the tampered v2.68 version to the Chrome Web Store.

This type of attack is known in cybersecurity as a “supply chain attack,” where the attacker does not target users directly but infiltrates the software provider’s distribution pipeline, disguising malicious code as official updates to all users. Since the update appears from the official store and is signed with a valid certificate, users and browsers cannot detect its malicious nature. Trust Wallet has about one million Chrome extension users, making the potential impact of this attack extremely broad.

Blockchain security firm SlowMist’s technical analysis indicates that the malicious code exploited a modified open-source analysis library. The carefully crafted code silently captures wallet seed phrases when users log into the extension and transmits them to a server controlled by the hacker. Seed phrases are the highest-privilege credentials for controlling cryptocurrency wallets; once leaked, attackers can fully control the victim’s assets. Chen stated that users who logged in before 11:00 AM UTC on December 26 may have been affected.

Trust Wallet received an alert on Christmas day from on-chain investigator ZachXBT on Telegram, prompting an immediate emergency response. The team released version v2.69 on December 25 to fix the vulnerability and removed the malicious version from the Chrome Web Store. However, users who logged in during the period when the malicious version was online may have had their seed phrases compromised, and subsequent updates cannot recover the lost assets.

Tracking the $7 Million Stolen Funds

Blockchain security firm PeckShield tracked the flow of stolen funds through on-chain analysis. Approximately 7 million USD worth of digital assets were stolen across multiple blockchains, including Bitcoin, Ethereum, and Solana. The attacker adopted a quick liquidation strategy, with over 4 million USD of stolen funds transferred through centralized exchanges such as ChangeNOW, FixedFloat, and KuCoin. As of Thursday, about 2.8 million USD still remained in the attacker’s wallets.

This fund flow pattern indicates the attacker possesses professional money laundering capabilities. ChangeNOW and FixedFloat are instant exchanges without KYC, often used to obfuscate the source of funds. Moving some funds into large exchanges like KuCoin may be for further dispersal or cashing out. While on-chain tracking is transparent, once funds enter centralized exchanges or mixers, recovery becomes significantly more difficult.

Notably, the attack occurred on the eve of Christmas, a typical hacker strategy. During holidays, security teams are understaffed, response times slow, giving attackers more time to transfer assets. Trust Wallet released a fix within about 24 hours, but the attacker had already had enough time to complete the first wave of fund transfers.

Currently, only the Trust Wallet Chrome extension was affected; mobile apps (iOS and Android) and other browser versions (such as Firefox, Edge) were not impacted. This is because different platforms use separate release pipelines and API keys; the attacker only gained access to the Chrome Web Store publishing rights.

Official Compensation Process and Scam Alerts

Trust Wallet has launched an official claim form on its website. Affected users need to provide the following information to complete the claim:

Required Information for Claim Submission

· Basic identity details: email address and country/region of residence for verification and follow-up contact

· Proof of compromised wallet: the stolen wallet address and the attacker’s receiving address, both must be provided in full blockchain address format

· Transaction evidence: relevant transaction hash(es) as on-chain proof of the funds being stolen

The Trust Wallet team states: “We are working around the clock to finalize the details of the compensation process. Each case requires careful verification to ensure accuracy and security.” This review mechanism aims to prevent false claims but also means that compensation will take some time. Binance founder CZ explicitly promised on X: “Trust Wallet will bear all losses,” emphasizing that user funds are “safe and sound.” Binance acquired Trust Wallet in 2018, and this commitment demonstrates the parent company’s dedication to maintaining brand reputation.

Trust Wallet especially warns users to be cautious of fake claim forms and identity theft scams following the incident. Hackers and scammers often exploit security incidents to cause secondary harm, using fake official forms to steal more personal information or seed phrases. Users should only submit claims through Trust Wallet’s official website or verified official community channels, and never click on unknown links or disclose seed phrases to anyone.

This incident highlights systemic risks in centralized release pipelines. Even decentralized wallets rely on centralized platforms like Google and Apple for software updates. Poor management of API keys can expose entire user groups to risk. Trust Wallet needs to review its key storage mechanisms and adopt higher security measures such as hardware security modules (HSM) or multi-signature authorization. For users, regularly backing up seed phrases, using hardware wallets for large assets, and paying attention to official security announcements are effective ways to reduce similar risks.