Ddos 
The well-known cryptocurrency wallet extension Trust Wallet appears to have recently fallen victim to a supply-chain attack. Attackers somehow compromised the extension and injected malicious code designed to steal users’ recovery phrases. With those phrases in hand, the attackers were able to restore victims’ wallets and drain them of all assets.
As of the time of writing, the value of the stolen cryptocurrency exceeds $6 million, and the number of affected users may continue to rise. Users who rely on this extension are strongly advised to move their funds immediately to a trusted wallet as a precaution. Yu Xian, founder of the blockchain security firm SlowMist, offered a brief technical analysis on social media:
The backdoored release was version v2.68.0, while the developer’s emergency fix was issued as v2.69.0. A comparison of the code shows that the compromised version included PostHog to collect highly sensitive user data, including wallet recovery phrases, which were then exfiltrated to an attacker-controlled server at hxxp://api.metrics-trustwallet.com.
Domain records indicate that this domain was registered on December 8, 2025, suggesting preparatory work had already begun. The backdoor was successfully implanted by December 22, after which the attackers remained dormant. On December 25—Christmas Day—they began actively moving funds.
Choosing Christmas was likely a calculated decision: during the holiday season in Western countries, both the Trust Wallet team and many users may have been less vigilant. This gave the attackers a longer window to siphon assets before the breach was detected, patches were released, and users had time to secure their funds.
The final scale of losses has yet to be fully determined. This is not the first security incident involving Trust Wallet. Between November 14 and 23, 2022, wallets created during that period suffered from a flaw that allowed attackers to derive private keys through weaknesses in pseudo-random number generation.
At the time, those incidents resulted in losses of roughly $170,000—a relatively modest sum that Trust Wallet fully reimbursed. With damages now exceeding $6 million, whether users will receive full compensation remains an open question pending further updates.
Donate