@EowynChen: I want to share a transparent ...
@EowynChen
83 views
Dec 27, 2025
1
I want to share a transparent update on the @TrustWallet Browser Extension v2.68 security incident, and what we know so far ~24 hours of the attack.
This is an ongoing investigation, so I’ll focus on confirmed facts and updates, highly likely hypothesis, and what we’re doing to stop loss for users.
This is an ongoing investigation, so I’ll focus on confirmed facts and updates, highly likely hypothesis, and what we’re doing to stop loss for users.
2
The scope of impact from our investigation confirms that this security incident affects:
- Only Browser Extension version 2.68 users who opened the extension and logged in
It does NOT affect:
- Any mobile app users
- Any other versions of browser extension users
- Extension v2.68 users who opened and logged in after Dec 26, 2025 1100 UTC.
- Only Browser Extension version 2.68 users who opened the extension and logged in
It does NOT affect:
- Any mobile app users
- Any other versions of browser extension users
- Extension v2.68 users who opened and logged in after Dec 26, 2025 1100 UTC.
3
What we know:
The malicious extension v2.68 was NOT released through our internal manual process. Our current findings suggest it was most likely published externally through Chrome Web Store API key, bypassing our standard release checks.
A working hypothesis (still under investigation):
The hacker used a leaked Chrome Web Store API key to submit the malicious extension version v2.68. This successfully passed Chrome Web Store's review and was released on Dec 24, 2025 at 12:32 UTC.
The malicious extension v2.68 was NOT released through our internal manual process. Our current findings suggest it was most likely published externally through Chrome Web Store API key, bypassing our standard release checks.
A working hypothesis (still under investigation):
The hacker used a leaked Chrome Web Store API key to submit the malicious extension version v2.68. This successfully passed Chrome Web Store's review and was released on Dec 24, 2025 at 12:32 UTC.
4
To minimize impact to users, we took the following steps:
1) We reported the malicious domain to the registrar, NiceNIC, and it has been suspended. Even for users still on Extension v2.68, there should be no risk of further loss.
2) We expired all release APIs - no new releases possible for the next 2 weeks.
3) We start actively collecting victims’ tickets and processing reimbursement. Some details still hashing out.
There’s still much to be done: Internal forensic analysis is ongoing and we are awaiting a response from Google's support team for additional logs to further analyze root cause - the holiday season makes it a bit challenging to get a timely response, so please bear with us 🙏
1) We reported the malicious domain to the registrar, NiceNIC, and it has been suspended. Even for users still on Extension v2.68, there should be no risk of further loss.
2) We expired all release APIs - no new releases possible for the next 2 weeks.
3) We start actively collecting victims’ tickets and processing reimbursement. Some details still hashing out.
There’s still much to be done: Internal forensic analysis is ongoing and we are awaiting a response from Google's support team for additional logs to further analyze root cause - the holiday season makes it a bit challenging to get a timely response, so please bear with us 🙏
5
We are trying to do the right thing for our users. We will share a full post-mortem once we have verified findings from pending audit logs and investigations, and continue to tighten security operations and controls.
Protecting users is always our priority. We will learn and rise from this, and do better. We greatly appreciate your patience and continued support. 🙏
And a big thank you to the security community for the support and monitoring; @ZachXBT, @samczsun, @AndrewMohawk, @pcaversaccio, @vikmeup, @tayvano_ , @0xakinator , @chainalysis, @arkham, and many more whitehat hackers! 🫡
Protecting users is always our priority. We will learn and rise from this, and do better. We greatly appreciate your patience and continued support. 🙏
And a big thank you to the security community for the support and monitoring; @ZachXBT, @samczsun, @AndrewMohawk, @pcaversaccio, @vikmeup, @tayvano_ , @0xakinator , @chainalysis, @arkham, and many more whitehat hackers! 🫡