Trust Wallet Faces Wave of Fraudulent Claims After $7 Million Chrome Extension Hack

CEO Eowyn Chen revealed on Monday that Trust Wallet identified 2,596 compromised wallet addresses from the December 24 hack. However, the company received almost 5,000 claims for reimbursement—a discrepancy that points to widespread fraudulent submissions.

“Because of this, accurate verification of wallet ownership is critical to ensure funds are returned to the right people,” Chen stated. “Our team is working diligently to verify claims; combining multiple data points to distinguish legitimate victims from malicious actors.”

The massive gap between actual victims and total claims has forced Trust Wallet to abandon speed in favor of accuracy, marking a significant operational pivot in one of the year’s most notable crypto security incidents.

How the Attack Unfolded

The breach began when attackers obtained a leaked Chrome Web Store API key, allowing them to bypass Trust Wallet’s internal security checks. On December 24 at 12:32 p.m. UTC, the compromised version 2.68 of the Chrome extension went live on Google’s official store.

According to blockchain security firm SlowMist’s analysis, the malicious code was carefully hidden inside a modified analytics library called posthog-js. When users unlocked their wallets, the code secretly extracted their seed phrases—the master keys to cryptocurrency wallets—and sent them to a server controlled by the attackers.

The domain used to collect stolen data, “api.metrics-trustwallet.com,” was registered on December 8, suggesting the attack was planned at least two weeks in advance. Cryptocurrency investigator ZachXBT first flagged the issue on Christmas Day after hundreds of users reported drained wallets.

Source: @EowynChen

Trust Wallet pushed a fixed version 2.69 on December 25. The breach affected only Chrome extension users who logged in before December 26 at 11 a.m. UTC. Mobile app users and other browser versions remained safe.

The Insider Question

Multiple industry figures have raised concerns about potential insider involvement in the attack. Binance co-founder Changpeng Zhao, whose company owns Trust Wallet, said the exploit was “most likely” carried out by an insider, though he provided no additional evidence.

SlowMist co-founder Yu Xian noted that the attacker demonstrated detailed knowledge of the extension’s source code and had prepared the infrastructure weeks before executing the theft. The ability to obtain and misuse a Chrome Web Store API key suggests either compromised developer devices or stolen deployment permissions.

Chen confirmed the company is conducting a broader forensic investigation alongside the compensation process but has not confirmed whether insiders were involved.

Stolen Funds and Money Laundering

The attack resulted in approximately $7 million in losses across multiple cryptocurrencies, including Bitcoin, Ethereum, and Solana. Blockchain security firm PeckShield tracked more than $4 million of the stolen funds moving through centralized exchanges like ChangeNOW, FixedFloat, and KuCoin. About $2.8 million remained in attacker-controlled wallets as of December 26.

The rapid movement of funds through multiple exchanges and blockchain networks has complicated recovery efforts and made tracing the attackers more difficult.

Compensation Process Under Scrutiny

Binance founder Zhao has committed to covering all verified losses, stating “user funds are SAFU”—a crypto industry term meaning “Secure Asset Fund for Users.” However, the verification process has become more complex than initially expected.

Trust Wallet requires affected users to submit detailed information through an official support form, including email addresses, compromised wallet addresses, attacker addresses, and transaction hashes. The company emphasized that accuracy now takes priority over speed.

The surge in false claims highlights a recurring problem in cryptocurrency security incidents. While blockchain transparency allows incidents to be traced, linking wallet addresses to verified users without centralized records remains challenging. This tension becomes acute when millions of dollars are at stake.

Chen said the team is combining multiple verification methods to assess claims but did not detail the specific criteria being used. The verification phase marks a critical test of whether Trust Wallet can successfully filter out fraudulent submissions while maintaining trust among genuine victims.

Warning About Secondary Scams

Trust Wallet issued urgent warnings about scammers exploiting the situation. The company reported seeing fake compensation forms spread through Telegram advertisements, impersonated support accounts, and direct messages requesting private keys or seed phrases.

The official compensation process never requests passwords, private keys, or recovery phrases. Users should only submit claims through Trust Wallet’s verified support portal at trustwallet-support.freshdesk.com. Any other communication claiming to offer reimbursement should be treated as fraudulent.

This secondary wave of scams adds another layer of risk for victims already dealing with stolen funds. The company stressed that users should verify all communications come from official Trust Wallet channels before taking any action.

Broader Security Implications

The Trust Wallet incident fits into a larger pattern of supply chain attacks targeting cryptocurrency users in 2024. According to Chainalysis data, cryptocurrency theft reached $6.75 billion in 2024, with personal wallet compromises surging to 158,000 from 64,000 the previous year.

Browser extensions present unique security challenges because they operate with elevated permissions and can access sensitive user data. A single compromised update can affect hundreds of thousands of users within hours.

The incident also demonstrates how weak verification processes can transform a single security breach into multiple problems. Trust Wallet must now dedicate significant resources to filtering false claims while genuine victims wait for compensation.

Trust Wallet’s Chrome extension has approximately one million users according to its official listing, though practical exposure depends on how many people installed version 2.68 and entered sensitive data during the vulnerable window.

The Path Forward

Trust Wallet has taken several steps to prevent future incidents. The company expired all release APIs to block unauthorized version updates for the next two weeks. The malicious domain used to collect stolen data was reported to its registrar and promptly suspended.

However, questions remain about how attackers obtained the Chrome Web Store API key and whether additional security measures will be implemented. The ongoing forensic investigation may provide answers, but Trust Wallet has not announced specific changes to its release process.

For cryptocurrency users, the incident reinforces the importance of treating wallet updates with extreme caution. Security experts recommend waiting for community confirmation before installing updates and considering hardware wallets for significant holdings.

The compensation process continues as Trust Wallet works through thousands of claims. The company’s ability to accurately identify legitimate victims while blocking fraudulent submissions will likely influence how other wallet providers handle future security incidents.

Reality Check

The Trust Wallet breach exposes two critical vulnerabilities in cryptocurrency security: supply chain attacks can bypass even well-designed security systems, and compensation processes themselves become targets for fraud. As Trust Wallet navigates verification of nearly 5,000 claims for 2,596 actual victims, the incident serves as a costly reminder that in crypto security, the cleanup can be as challenging as the breach itself.