Data Leak from Trust Wallet Chrome: How Malicious Script Attacked Users' Private Keys

In December of last year, Trust Wallet confirmed a security incident related to an infected Chrome browser extension version 2.68. Malicious code embedded in the package was able to intercept users’ confidential data, including seed phrases and private keys. The company promptly released version 2.69 on December 25, but the damage had already been done. According to initial estimates, affected users lost between 6 and over 7 million dollars across multiple blockchains.

How the Attack Unfolded – Invisible JavaScript Code

Experts analyzing the infected version 2.68 package discovered suspicious logic contained in JavaScript files, particularly in the file labeled “4482.js”. According to researchers, this code was designed to automatically send wallet secrets to external servers. The script operated in the background, without user knowledge, activating when a person typed or imported a seed phrase into the extension.

The wallet extension sits at a critical point between web applications and transaction signing processes. This means that any compromise at this level could result in access to the same input data users rely on to verify operations. The malicious script exploited exactly this security vulnerability.

Who Was at Risk – Estimated Scope of Victims

The Chrome Web Store indicates that approximately 1 million users installed the Trust Wallet extension. However, the actual scope of the incident was smaller—the extent depended on how many people actually installed version 2.68 and entered sensitive data during its operation.

The greatest risk was for individuals who:

• Installed the infected version 2.68
• Typed or imported their seed phrase during that period
• Confirmed transactions through this extension

Mobile users and other versions of the extension were not affected, which narrowed the scope of the threat.

What to Do Now – Protective Steps for Every User

A simple update to version 2.69 is not enough. Although the new version removes malicious code and prevents future attacks, it does not automatically protect assets if the seed phrase has already been compromised.

To secure yourself, follow these steps:

1. Check if you are at risk:

• Did you have version 2.68 installed?
• Did you type or import your seed phrase during its use?

2. If the answer is “yes”:

• Treat your current seed phrase as compromised
• Transfer all funds to a new wallet created with a new seed phrase
• Revoke all approvals for tokens where possible

3. Update the extension:

• Immediately disable version 2.68
• Install version 2.69 from the Chrome Web Store
• Verify that the application comes from an official source

4. Additional precautions:

• Treat any system that had contact with the exposed seed phrase as potentially compromised
• Do not respond to private messages from individuals impersonating the Trust Wallet team
• Avoid copycat domains “fix" – scammers are widely distributing fake repair sites

Transferring funds may involve operational costs—especially if you hold positions on multiple blockchains. Gas fees and cross-chain bridging risks can be significant, but security should be the priority.

Market Reaction – Current TWT Price

Trust Wallet Token (TWT) responded relatively stably to the incident. The current price hovers around 0.88 USD, with a 24-hour decrease of 2.19%. Over the past day, the maximum price was 0.90 USD, and the minimum was 0.86 USD.

The market has not shown sharp movements, suggesting that investors are awaiting further communications from the company regarding refunds and full details of the incident.

Estimated Losses – Scenario for the Coming Weeks

Initial estimates of total losses ranged from 6–7 million dollars. However, this figure may change for several reasons:

• Delayed victim reports
• Reclassification of on-chain addresses
• Better visibility of cross-chain withdrawals
• Possible discovery of additional attack vectors

Projected scenarios for the next 2–8 weeks:

What Comes After the Incident – Lessons for the Industry

The incident revealed structural weaknesses in the security model of browser extensions. Academic research has shown that malicious or compromised extensions can bypass automated checks of the Chrome Web Store. The phenomenon called “concept drift” means that attackers’ oscillating tactics weaken the effectiveness of static defense methods.

The industry is now calling for:

• Repeated source code compilations
• Signing with key splitting
• Clearer procedures for emergency rollbacks
• Greater transparency in incident reporting

Trust Wallet has announced it will provide detailed instructions for refunds to affected users. The first step should be confirming exactly how many users were at risk, what sensitive data the malicious script exposed, and what the actual fund drain paths were.

Final Recommendations

Trust Wallet strongly reiterates the guidelines:

• Immediately disable version 2.68
• Update to version 2.69 from the official Chrome Web Store
• If you entered your seed phrase in version 2.68 – transfer all funds
• Do not trust messages from unofficial channels

The malicious script incident is a reminder that no system—regardless of reputation—is 100% secure. User education and awareness of threats are today’s best defense against such attacks.