Trust Wallet confirmed that approximately $7 million in cryptocurrency was stolen through a compromised browser extension update.
The breach affected only version 2.68 of the Chrome extension, which was released on Dec. 24.
Mobile wallet users remained unaffected, according to the company.
Changpeng Zhao, founder of Binance, which owns Trust Wallet, said the wallet would compensate all affected users.
"So far, $7m affected by this hack. Trust Wallet will cover. User funds are SAFU," Zhao wrote on X.
What Happened
Blockchain investigator ZachXBT first flagged the incident on Dec. 25 after receiving reports of rapid fund drains from Trust Wallet users.
The losses occurred within hours of the extension update, suggesting a supply-chain compromise.
Security firm SlowMist analyzed the malicious code and found it was directly injected into Trust Wallet's source code rather than through a compromised third-party library.
The backdoor code collected users' encrypted seed phrases when wallets were unlocked, then sent the data to an attacker-controlled domain registered on Dec. 8.
SlowMist's analysis indicates attackers began preparations at least two weeks before the malicious update was deployed.
The stolen funds included Bitcoin, Ethereum and assets across multiple blockchain networks.
Some individual users reported losses exceeding $300,000 within minutes of wallet access.
Trust Wallet immediately urged users to disable version 2.68 and upgrade to the patched version 2.69 through the official Chrome Web Store.
Read also: Bitcoin's 2019-Like Setup Points To Extended Macro Headwinds, Says Analyst
Why It Matters
The incident highlights persistent security vulnerabilities in browser-based cryptocurrency wallets despite industry efforts to strengthen protections.
Unlike compromises targeting individual users through phishing, this attack infiltrated Trust Wallet's official distribution channel, affecting users who followed proper security practices.
Supply-chain attacks targeting cryptocurrency infrastructure have increased sharply in 2024.
Blockchain security firm Chainalysis reported that cryptocurrency theft exceeded $3.41 billion through early December, compared with $3.38 billion for all of 2023.
The Trust Wallet breach represents the second major security issue for the wallet's browser extension.
In 2023, hardware wallet manufacturer Ledger's security team discovered a critical vulnerability in Trust Wallet's Chrome extension that reduced security from 256 bits to just 32 bits of entropy.
Ledger chief technology officer Charles Guillemet said the 2023 flaw could have allowed attackers to drain wallets without any user interaction.
That vulnerability was identified and fixed before large-scale exploitation occurred.
The latest incident underscores why hardware wallets, which store private keys offline, remain the most secure option for significant cryptocurrency holdings.
Browser extensions require extensive system permissions and depend on the security of both the extension code and the user's computer, creating multiple potential attack vectors.
Read also: SHIB Price Defies 5,000% Long-Biased Liquidation Wave