Roughly $7 million in digital assets were stolen after a compromised Trust Wallet Chrome extension update. Binance CEO Changpeng Zhao suggested a “high chance of insider” involvement, elevating the incident from a typical external exploit into a high-scrutiny operational and reputational event. Binance committed to full reimbursement via its Secure Asset Fund for Users (SAFU), reinforcing the severity of the breach.
The exploit vector was the official Chrome extension update to version 2.68, which included a malicious JavaScript file named 4482.js that disguised itself as PostHog analytics code. The payload intercepted recovery seed phrases at import and transmitted them to a fraudulent endpoint, api.metrics-trustwallet.com, enabling attackers to drain wallets within minutes. Trust Wallet stated that mobile applications and other browser extensions were not affected and instructed users to disable 2.68 and upgrade to the patched version 2.69.
Most likely.
— CZ 🔶 BNB (@cz_binance) December 26, 2025
How the compromise is being interpreted by security teams
Security analysts assessed the supply-chain sophistication as consistent with either compromised developer devices or repositories, or advanced social-engineering that allowed a tainted build to pass Chrome Web Store checks. Yu Xian, co-founder of SlowMist, said the attacker was “very familiar with the Trust Wallet extension’s source code,” a detail that teams interpret as consistent with internal access or highly targeted reconnaissance. This framing keeps root-cause scenarios tightly focused on the update pipeline and developer-side security posture.
CZ publicly characterized the breach as “not natural,” warning of a “high chance of insider” involvement while also confirming the reimbursement posture. Binance stated that affected users will be made whole through SAFU, with the total impact reported at about $7 million. The combination of suspected insider dynamics and a full reimbursement commitment increases expectations for controlled incident management and credible disclosure.
Update on the Trust Wallet Browser Extension (v2.68) incident:
We’ve confirmed that approximately $7M has been impacted and we will ensure all affected users are refunded.
Supporting affected users is our top priority, and we are actively finalizing the process to refund the… https://t.co/2XRx8GvZ75
— Trust Wallet (@TrustWallet) December 26, 2025
Operational priorities for custodians and treasuries
From an operational controls perspective, the incident highlights immediate priorities for custodians and treasury operators. Teams should tighten developer access controls, implement continuous monitoring of code distribution channels, and reduce implicit trust in third-party update mechanisms that can become a single point of failure. The episode reinforces that non-custodial tooling can still carry platform-level supply-chain risk that must be treated as a first-order exposure.
SlowMist’s CISO 23pds suggested the compromise may have originated from compromised developer devices or code repositories, reinforcing the need for zero-trust practices across development and distribution. While Trust Wallet’s patch and Binance’s reimbursement commitment address immediate financial harm, they do not replace the need for public forensic disclosure that clarifies root cause and accountability. That transparency is a key dependency for restoring confidence across wallet users and institutional stakeholders.
The Trust Wallet incident underscores supply-chain and insider-risk exposure in wallet software distribution and has triggered a full reimbursement commitment of roughly $7 million. The broader implication is a push toward hardened developer controls and transparent forensic reporting as the ecosystem works to re-establish trust.