Imagine waking up on Christmas morning, reaching for your phone to check your portfolio, and seeing a balance of "zero." For hundreds of **Trust Wallet** users, this nightmare became a reality in the final days of December 2025. While the crypto markets were preparing for a year-end rally, a critical security breach in the **Trust Wallet Browser Extension** allowed hackers to inject malicious code, silently siphoning off user funds. Initial reports confirm that over **$6 million to $7 million** worth of assets were drained in less than 48 hours. This attack, specifically targeting version 2.68 of the extension, has reignited the fierce debate over the safety of "Hot Wallets." But how did it happen? What was the response from Binance and Trust Wallet? And most importantly, will the victims get their money back? In this comprehensive TekinGame report, we dissect the anatomy of this major holiday heist.
1. The Incident: A Midnight Raid on Version 2.68 It all began on December 24, 2025. Scattered reports started appearing on X (formerly Twitter) where panicked users claimed their Ethereum, Solana, and
Bitcoin balances were drained without their authorization. They hadn't clicked on phishing links, nor had they signed malicious contracts. Rapid investigations by blockchain sleuths, including the renowned
ZachXBT , identified a common denominator among all victims: they had all recently installed or updated the Trust Wallet Browser Extension . It was revealed that a compromised update (Version 2.68) containing
a malicious payload had been pushed to the Chrome Web Store. The attack window remained open for approximately 30 hours before Trust Wallet officially acknowledged the breach and pulled the compromised
version. 2. Technical Autopsy: How Hackers Stole the Seed Phrases Unlike complex DeFi exploits that target smart contract logic, this was a classic "Supply Chain Attack." The hackers managed to compromise
the build pipeline of the extension itself. The Mechanism of Theft: In the infected version (v2.68), a malicious script was injected into the background process. Its function was simple yet deadly: it
monitored user inputs. The moment a user entered their password to unlock the wallet or generated a new wallet, the script silently copied the 12-word Seed Phrase and transmitted it to a command-and-control
server operated by the attackers. According to a report by SlowMist security firm, the stolen data was sent to a domain mimicking official analytics endpoints, making it difficult for standard firewalls
Read Full Article