Trust Wallet has urged Chrome users to immediately disable its browser extension after a compromised release was found to contain a hidden script that harvested users’ private keys. The incident centers on version 2.68 of the extension, which was pushed to users on Dec. 24 and quickly linked to reports of drained wallets. The company has since acknowledged a security incident and released a follow-up version, 2.69, on Dec. 25.
What Happened in Trust Wallet’s Chrome Extension Incident
According to Trust Wallet’s public statements and reporting by BleepingComputer, the issue traces back to the Chrome browser extension update labeled version 2.68. Shortly after this update rolled out, victims and independent researchers began flagging suspicious activity, including funds disappearing from Trust Wallet accounts that were connected through the extension.
Subsequent analysis uncovered a hidden script embedded in version 2.68 that was capable of harvesting users’ private keys. In practical terms, this meant that the extension, which users relied on for managing crypto assets, could silently expose the cryptographic keys that protect their funds. Once private keys are compromised, attackers can move assets out of affected wallets without any additional authorization.
Early public tallies, shared in community channels and referenced by BleepingComputer, reported multiple thefts tied to the timeframe immediately after version 2.68 was deployed. While precise loss figures have not been fully detailed, the pattern of reports was consistent enough for Trust Wallet to treat the situation as a security emergency.
Timeline: From Version 2.68 to Emergency Warning
The critical sequence of events unfolded rapidly over a two-day period around the Christmas holiday:
On Dec. 24, Trust Wallet released Chrome extension version 2.68. Soon after this rollout, affected users and security researchers began observing unauthorized asset movements from wallets that had interacted with the updated extension. These observations were shared publicly, including with outlets like BleepingComputer.
By Dec. 25, Trust Wallet had acted on the accumulating reports. The company acknowledged that a security incident was tied to the 2.68 release and pushed an updated version, 2.69, as a response. Alongside the technical update, Trust Wallet issued an urgent warning instructing Chrome users to disable the extension version 2.68, effectively treating it as unsafe.
The speed of the response—less than 24 hours between the problematic update and the emergency guidance—underlines both the seriousness of the situation and the difficulty of reacting to live, in-the-wild compromises. Even in a short window, however, the hidden script was able to harvest private keys from some users and facilitate thefts.
How the Hidden Script Put Users’ Private Keys at Risk
The core danger of the incident lies in the nature of the data that was targeted: private keys. In a typical wallet setup, private keys are stored locally and never exposed in plaintext to third parties. Browser extensions, like the Trust Wallet Chrome add-on, operate within the browser’s environment and are expected to handle keys securely—encrypting them, limiting exposure in memory, and avoiding any transmission that could be intercepted.
In this case, version 2.68 contained a hidden script that broke that trust boundary. By harvesting private keys, the malicious logic turned the extension from a security tool into an attack vector. Once an attacker has a private key, they no longer need to compromise the device or the application itself; they can simply use the key from anywhere to sign transactions and move funds.
From the user’s perspective, this sort of compromise is particularly damaging because it is largely invisible. There are no warning prompts, no additional passwords requested, and no obvious signs inside the interface that anything is wrong. Instead, the first visible symptom is often missing funds when the user next checks their wallet.
The Trust Wallet incident underscores a broader reality about browser-based wallets: they sit at a high-risk intersection of web code, automatic updates, and direct access to sensitive cryptographic material. When one layer is compromised—whether through a malicious update, supply-chain issue, or exploited vulnerability—the consequences can be immediate and severe.
Immediate Steps for Affected and At-Risk Users
Following the revelation of the hidden script and the associated thefts, Trust Wallet issued clear guidance for Chrome users: disable the extension version 2.68. While version 2.69 was pushed as a corrective release, the primary defensive move for anyone who had used 2.68 is to assume potential exposure and act accordingly.
For users who had the 2.68 extension installed at any point, a cautious security posture would include:
• Disabling or removing the affected browser extension to prevent further risk from that specific version. • Treating any private keys or seed phrases that were ever accessed through the 2.68 extension as potentially compromised, given that the script was capable of harvesting them. • Migrating funds to new wallets generated from fresh seed phrases that have never been exposed to the compromised extension version. • Reviewing transaction histories for any unauthorized transfers during and shortly after the period when 2.68 was installed.
Because the incident involved key harvesting rather than just session hijacking, the damage can persist even after the extension is updated: once an attacker has a key, upgrading the software does not revoke that access. That is why rotating wallets and moving assets is a critical mitigation step for those who may have been affected.
Where possible, users may also want to temporarily limit the use of browser-based wallets for large balances and rely on more segregated setups until they are confident their environment is secure.
Why Browser Extensions Are a High-Risk Vector for Crypto Wallets
This incident highlights the systemic security challenges tied to browser extension wallets. Extensions have unique characteristics that make them both convenient and risky:
• They are deeply integrated into users’ daily browsing, often connecting directly to DeFi platforms, NFT marketplaces, and other Web3 services. • They receive updates through browser stores, and those updates can be automatically applied without explicit user review. • They must handle sensitive material—such as private keys and signing operations—within the same environment that loads untrusted web content.
When an extension update becomes compromised, even briefly, a large user base can be exposed at once. Users often cannot easily inspect the code or verify whether a new version behaves differently, and they typically learn about issues only after reports of thefts or exploits surface.
The Trust Wallet case shows how quickly a compromised update, carrying a hidden script, can lead to the harvesting of keys and subsequent drains. It also reinforces the need for more robust update validation and stricter security practices around wallet extensions, from both developers and users.
Users who prioritize security may increasingly treat browser-based wallets as hot wallets—suitable for limited, active funds rather than long-term holdings—and seek to minimize their exposure to any one extension or platform.
Lessons for Securing Your Crypto Beyond This Incident
While Trust Wallet has acted to address the specific issue by pushing version 2.69 and warning users about 2.68, the broader lesson extends beyond a single product or incident. Any wallet that operates through a browser extension inherently carries risks tied to that environment.
For security-conscious investors and everyday crypto users alike, several practical takeaways emerge from this episode:
• Treat browser wallet updates with awareness: when a new version appears, especially around times of heightened activity, monitor official communications and community channels for any early warning signs. • Keep only limited balances in browser-based wallets: use them for interactions that require convenience, but store larger holdings in wallets that are less exposed to live code updates and the web environment—such as hardware wallets or segregated software setups. • Respond quickly to credible alerts: in this case, the time between update, compromise, and public warning was short. Acting on early reports, even before all details are known, can reduce potential losses.
The Trust Wallet Chrome extension compromise illustrates how a single flawed update can undermine even widely used tools in the crypto ecosystem. For now, users who encountered version 2.68 should assume that their exposure may have been real and take defensive steps accordingly. More broadly, the incident is a reminder that in Web3, vigilance around wallet security is not a one-time exercise but an ongoing requirement.
Hi, I’m Cary Huang — a tech enthusiast based in Canada. I’ve spent years working with complex production systems and open-source software. Through TechBuddies.io, my team and I share practical engineering insights, curate relevant tech news, and recommend useful tools and products to help developers learn and work more effectively.
