How a Hidden Backdoor Drained $7M from Trust Wallet
A dangerous vulnerability has been discovered in the Trust Wallet browser extension, potentially allowing attackers to steal users’ cryptocurrency. The issue affected version 2.68, and the wallet’s team officially urged everyone who had installed it to immediately disable the extension and update to version 2.69.
The first complaints were reported by researcher ZachXBT, who wrote that “several Trust Wallet users have reported funds being stolen from their wallets over the past few hours.” Shortly thereafter, Trust Wallet confirmed the risk was specific to browser version 2.68 and issued guidance to move to the patched release.
A detailed analysis of the incident was published by SlowMist, a firm specializing in blockchain security. Its researchers compared the code in versions 2.67 and 2.68 and identified an insertion resembling a backdoor. According to their findings, the malicious component iterated through wallets stored in the extension and requested each wallet’s seed phrase. It then used either the password entered by the user to unlock the wallet, or an alternative unlock mechanism via passkeyPassword, to decrypt the data and prepare it for exfiltration.
A crucial clue lay in the attackers’ domain infrastructure. SlowMist reported that seed phrases and other sensitive information were sent to api.metrics-trustwallet[.]com, associated with the domain metrics-trustwallet.com. Researchers found that this domain was registered on December 8, 2025, with the first requests observed starting December 21—dates that align closely with the suspected insertion of the malicious code into the extension.
Dynamic analysis revealed a particularly subtle technique. After the wallet was unlocked, the seed phrase was placed into the errorMessage field—data that appears to be a benign technical error. This payload was then transmitted to the attackers’ server as part of an otherwise ordinary network request. SlowMist also noted that the attackers leveraged the legitimate PostHog analytics library, but redirected analytics traffic to their own server, disguising the data leak as routine telemetry.
At the time of publication, SlowMist estimated that total losses could reach into the millions of dollars. Indicative figures include approximately 33 BTC—roughly $3 million—as well as around $3 million on Ethereum networks, including layer-2 solutions. Losses on Solana were significantly smaller, amounting to only a few hundred dollars. After the thefts, the funds were reportedly laundered through several centralized exchanges and cross-chain bridges.
Researchers emphasized that this incident does not resemble a compromised third-party dependency, such as a malicious npm package, but rather appears to be a direct modification of the extension’s own code. From this, SlowMist concludes that the attack was likely orchestrated by professionals who may have gained prior access to the development environment or the extension’s publishing pipeline.
Users who installed the Trust Wallet extension are advised to proceed with extreme caution. It is prudent to stop using the extension, securely back up seed phrases or private keys, and transfer funds as quickly as possible to a different wallet you trust. If compromise is suspected, any actions taken on the affected device should be carried out carefully to avoid worsening the situation.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
