For the cryptocurrency community, Christmas Day is usually a time for quiet markets and bullish reflection. But this year, it became the scene of a sophisticated supply-chain attack that siphoned approximately $7 million from unsuspecting users.
A growing number of Trust Wallet users reported unauthorized drains of their entire portfolios on December 25, prompting a frantic community response that exposed a critical vulnerability in the company’s Google Chrome browser extension. The incident, first flagged by renowned on-chain sleuth ZachXBT, has renewed fears about the safety of “hot wallets” and the fragility of the software supply chain.
The ‘Analytics’ That Stole Millions
The alarm was sounded early on Christmas morning when ZachXBT issued a community alert after receiving multiple independent reports of funds vanishing from wallets. “Hundreds of victims have been affected,” he warned, sharing a list of compromised addresses spanning the Bitcoin, Ethereum, and Solana blockchains.
Security researchers quickly zeroed in on the culprit: a specific update to the Trust Wallet browser extension, version 2.68, which had been released on December 24. While the update appeared routine, independent analysts found a “poison pill” hidden inside.
According to technical analysis shared by security firm SlowMist and analyst 0xakinator, the compromised version contained a malicious JavaScript file identified as 4482.js. This script masqueraded as a standard analytics module but was secretly programmed to harvest seed phrases—the master keys to a user’s crypto—and transmit them to a command-and-control server at metrics-trustwallet[.]com. This domain had been registered just days prior to the attack, a classic hallmark of a premeditated heist.
The Seed Phrase Trap
The attack was particularly devastating because of its trigger mechanism. Unlike smart contract exploits that drain funds when a user signs a transaction, this malware lay in wait for the most sensitive action a user can take: importing a wallet.
Users who downloaded the corrupted version 2.68 and manually entered their 12- or 24-word seed phrase to “restore” their wallet were instantly compromised. The malware captured the text as it was typed and sent it to the attackers, who then used automated bots to sweep every asset from the victim’s addresses within minutes. One user on X (formerly Twitter) reported losing $700,000 in a single sweep, lamenting, “I didn’t even log into my wallet app… nothing was saved digitally.”
Official Response and CZ’s Promise
After hours of speculation, Trust Wallet issued an official statement confirming the breach. The company acknowledged that the security incident was strictly isolated to the browser extension version 2.68 and that mobile app users were unaffected.
“We have released version 2.69 to patch this vulnerability,” the company stated, urging users to update immediately and, crucially, to create entirely new wallets if they had ever used the compromised version.
In a move to stem the panic, Changpeng “CZ” Zhao, the founder of Binance (which acquired Trust Wallet in 2018), stepped in with a reassuring message. CZ confirmed that approximately $7 million had been stolen but stated that Trust Wallet would fully cover the losses for affected users. He also hinted at a potential “insider” element to the breach, noting that the attackers were able to push a compromised update through the official Chrome Web Store channels.
The Vulnerability of Browser Wallets
This event has sparked an intense discussion regarding the safety of browser wallets. Browser wallets use “hot” wallet technology, meaning that the user’s private keys will always be stored on the web, while hardware wallets will store the private keys offline. Because of this, browser wallets can be compromised via supply chain attacks.
“Browser extensions have broad permissions and frequent auto-updates,” noted a lead researcher at Web3 Antivirus. “If a developer’s account is compromised, or if a rogue employee pushes bad code, millions of users can be infected instantly without clicking a suspicious link.”
Safety in a Trustless World
In the aftermath of the “Christmas Day Hack”, users are left with a costly lesson regarding the importance of self-custody. Numerous security experts now recommend that users do not import their seed phrases into any of the browser extension services available for use; rather, they recommend using a hardware wallets such as Ledger and/or Trezor to perform daily transactions with. While many of the users who lost their entire savings on Christmas Day may feel some comfort with the promise of reimbursement from these services, it is a grave lesson for the larger cryptocurrency market- that regardless of the intentions behind the creation of these products, even the most secure wallet can become a weapon used against you in your time of need.
