Match Systems | Trust Wallet
(Chrome Extension)
Incident Analysis
Over the past 24 hours, we have observed a surge of reports about unauthorized withdrawals affecting users of the Trust Wallet Browser Extension for Chrome. The Trust Wallet team has officially stated that the issue affects only extension version v2.68 and has recommended disabling it and updating to v2.69. According to their statement, mobile users and other extension versions are not impacted.
Based on our assessment, the incident most closely resembles a supply-chain compromise — specifically, a compromised update or component of the extension. In such cases, an attacker typically aims to gain access to critical wallet data (primarily the seed/mnemonic) or the signing process itself, after which fund theft becomes a matter of automation and time.
Our initial review shows that victims’ funds are drained quickly, then dispersed across multiple chains and partially routed through exchange services. This is important because these points sometimes allow for intervention — AML responses, outreach to platforms, and in certain scenarios, freezes involving issuers and/or law enforcement requests. The total damage and number of affected users are still being clarified, but public estimates exceed $7 million. Our analytics also indicate the presence of large victims in this case: one with losses exceeding $3 million, and another with losses over $700,000.
The highest risk applies to users who ran Chrome extension v2.68 (especially if they imported or entered a seed during that period). Even if you “did not sign anything,” a compromised extension can be sufficient for subsequent fund theft.
If you had v2.68 installed, disable the extension and update to v2.69 from the official source. If your seed may have been compromised, act as you would after a leak: create a new wallet with a new seed and transfer assets, preserve evidence (extension version, timestamps, addresses, txids).
If you were affected, save all transactions, addresses, and timestamps, prepare a brief incident timeline, and initiate the process by filing a police report — this is what enables official requests to platforms and potential freeze/recovery actions. We are continuing to collect artifacts and conduct on-chain monitoring of related flows.
Trust Wallet has officially announced its readiness to compensate all affected users of the Chrome extension impacted by this incident. This involves hundreds of affected wallets. The Trust Wallet team has confirmed that they will work directly with each affected user for individual case review and to arrange reimbursements. It is important to retain all evidence and contact support through the project’s official channels.
Based on our assessment, the incident most closely resembles a supply-chain compromise — specifically, a compromised update or component of the extension. In such cases, an attacker typically aims to gain access to critical wallet data (primarily the seed/mnemonic) or the signing process itself, after which fund theft becomes a matter of automation and time.
Our initial review shows that victims’ funds are drained quickly, then dispersed across multiple chains and partially routed through exchange services. This is important because these points sometimes allow for intervention — AML responses, outreach to platforms, and in certain scenarios, freezes involving issuers and/or law enforcement requests. The total damage and number of affected users are still being clarified, but public estimates exceed $7 million. Our analytics also indicate the presence of large victims in this case: one with losses exceeding $3 million, and another with losses over $700,000.
The highest risk applies to users who ran Chrome extension v2.68 (especially if they imported or entered a seed during that period). Even if you “did not sign anything,” a compromised extension can be sufficient for subsequent fund theft.
If you had v2.68 installed, disable the extension and update to v2.69 from the official source. If your seed may have been compromised, act as you would after a leak: create a new wallet with a new seed and transfer assets, preserve evidence (extension version, timestamps, addresses, txids).
If you were affected, save all transactions, addresses, and timestamps, prepare a brief incident timeline, and initiate the process by filing a police report — this is what enables official requests to platforms and potential freeze/recovery actions. We are continuing to collect artifacts and conduct on-chain monitoring of related flows.
Trust Wallet has officially announced its readiness to compensate all affected users of the Chrome extension impacted by this incident. This involves hundreds of affected wallets. The Trust Wallet team has confirmed that they will work directly with each affected user for individual case review and to arrange reimbursements. It is important to retain all evidence and contact support through the project’s official channels.
- Vladislav Krasnov
Lead analyst
Blog