Crypto Christmas Heist: Over $6 Million Lost, Trust Wallet Chrome Extension Wallet Hacked Analysis
Original Title: "Christmas Heist | Trust Wallet Browser Extension Wallet Hacked Analysis"
Original Source: SlowMist Technology
Background
Early this morning Beijing time, @zachxbt announced in the channel, "Some Trust Wallet users reported that funds in their wallet addresses have been stolen in the past few hours." Subsequently, Trust Wallet's official X also released an official statement confirming a security vulnerability in Trust Wallet Browser Extension version 2.68, advising all users using version 2.68 to immediately disable this version and upgrade to version 2.69.
Tactics
Upon receiving the intelligence, the SlowMist security team promptly conducted an analysis of the relevant samples. Let's first compare the core code of the previously released 2.67 and 2.68 versions:
By diffing the code of the two versions, we found the malicious code added by the hacker:
The malicious code will traverse all wallets in the plugin, make a "get mnemonic phrase" request for each user's wallet to obtain the user's encrypted mnemonic phrase, and finally use the password or passkeyPassword entered by the user when unlocking the wallet for decryption. If decryption is successful, the user's mnemonic phrase will be sent to the attacker's domain `api.metrics-trustwallet[.]com`.
We also analyzed the attacker's domain information; the attacker used the domain: metrics-trustwallet.com.
Upon investigation, the registration time of this malicious domain was 2025-12-08 02:28:18, and the domain registrar is: NICENIC INTERNATIONA.
Request records targeting api.metrics-trustwallet[.]com began on 2025-12-21.
This timestamp and the implantation of the backdoor with code 12.22 are roughly the same.
We continue to reproduce the entire attack process through code tracking analysis:
Through dynamic analysis, it can be seen that after unlocking the wallet, the attacker filled the mnemonic information into the error in R1.
And the source of this Error data is obtained through the GET_SEED_PHRASE function call. Currently, Trust Wallet supports two ways to unlock: password and passkeyPassword. The attacker, during the unlocking process, obtained the password or passkeyPassword, then called GET_SEED_PHRASE to obtain the wallet's mnemonic phrase (private key as well), and then placed the mnemonic phrase in the "errorMessage".
Below is the code using emit to call GetSeedPhrase to obtain the mnemonic phrase data and fill it into the error.
Traffic analysis performed through BurpSuite shows that after obtaining the mnemonic phrase, it is encapsulated in the request body's errorMessage field and sent to a malicious server (https[://]api[.]metrics-trustwallet[.]com), which is consistent with the previous analysis.
Through the above process, the theft of the mnemonic phrase/private key is completed. In addition, the attacker is also familiar with the source code and utilizes the open-source full-lifecycle product analysis platform PostHogJS to collect user wallet information.
Stolen Asset Analysis
(https://t.me/investigations/296)
According to ZachXBT's disclosed hacker address, we have calculated that as of the time of publication, the total amount of stolen assets on the Bitcoin blockchain is approximately 33 BTC (valued at around 3 million USD), the stolen assets on the Solana blockchain are valued at around 431 USD, and the stolen assets on the Ethereum mainnet and Layer 2 chains are valued at around 3 million USD. After stealing the coins, the hacker used various centralized exchanges and cross-chain bridges to transfer and exchange some of the assets.
Summary
This backdoor incident originated from a malicious code modification to the Trust Wallet extension's internal codebase (analytics service logic), rather than the introduction of a tampered third-party package (such as a malicious npm package). The attacker directly altered the application's own code, using the legitimate PostHog library to redirect analytics data to a malicious server. Therefore, we have reason to believe this was a professional APT attack, where the attacker may have gained control of Trust Wallet-related developers' device or release deployment permissions prior to December 8.
Recommendations:
1. If you have installed the Trust Wallet extension wallet, you should immediately disconnect from the internet as a prerequisite for investigation and actions.
2. Immediately export your private key/mnemonic phrase and uninstall the Trust Wallet extension wallet.
3. After backing up your private key/mnemonic phrase, promptly transfer your funds to another wallet.
You may also like
Track Markets At a Glance: New WEEX Price Widgets for iOS & Android
To streamline your market data access, WEEX has officially launched "Market Watchlist" desktop widgets
The billion-dollar lesson: The focus of DeFi security is shifting from code to operational governance
A Brief Analysis of Stablecoin Licenses and On-Chain Funding
BVNK Founder: Three Stages of Stablecoin Development
The truth about Trump's son's Bitcoin game: he made a staggering $100 million while retail investors lost $500 million
What Is Futures Trading? Hours, Platforms, and How to Start Trade Futures(2026 Guide)
Learn how to start futures trading, understand trading hours, and choose the best futures trading platform. Includes real data, strategies, and ways to maximize returns with rebates.
The Rise of Composable RWA
MAGA Up 350% in 24 Hours, PEPE Up 46% in One Day: Which Memecoins Are Next in 2026?
MAGA +350% in 24hrs. PEPE +46% in one day. RAVE +4,500% then -90%. In 2026's memecoin market, the gains are real. So are the traps? Here's how to tell the difference before you buy.
RCD Espanyol vs Real Madrid: Can the Pericos Delay the Inevitable?
RCD Espanyol vs Real Madrid lineups, standings, and stats for May 3, 2026. Real Madrid visits RCDE Stadium as Barcelona closes in on the LALIGA title. Full preview inside.
MegaETH goes live with an FDV exceeding 2 billion USD. Which ecological projects are worth paying attention to?
Dialogue with "Wood Sister" Cathie Wood: The next bull market is about to arrive
Can prediction markets win the competition for perpetual contracts?
Who is trading on Trade.xyz?
Binance quietly placed a bet on a leading large model company
Best Crypto Discord Server 2026: Why Jacob’s Crypto Clan Is Gaining Massive Attention
Jacob’s Crypto Clan has grown into one of the most active crypto Discord communities, with over 45K members and continuing to expand. This rapid growth reflects strong demand for structured trading insights and real-time collaboration.
Tom Lee Buying ETH: Why Wall Street’s Loudest Ethereum Bull Keeps Doubling Down
Tom Lee keeps buying ETH through every dip, every drawdown, and every moment of market doubt. Inside the strategy that's turning Ethereum into a treasury asset — and what it signals for the rest of the market.
Stripe Sessions 2026: AI Agent, Global Payments, and Invisible Crypto Infrastructure
Where will South Korea's cryptocurrency taxation head?
Track Markets At a Glance: New WEEX Price Widgets for iOS & Android
To streamline your market data access, WEEX has officially launched "Market Watchlist" desktop widgets
The billion-dollar lesson: The focus of DeFi security is shifting from code to operational governance
A Brief Analysis of Stablecoin Licenses and On-Chain Funding
BVNK Founder: Three Stages of Stablecoin Development
The truth about Trump's son's Bitcoin game: he made a staggering $100 million while retail investors lost $500 million
What Is Futures Trading? Hours, Platforms, and How to Start Trade Futures(2026 Guide)
Learn how to start futures trading, understand trading hours, and choose the best futures trading platform. Includes real data, strategies, and ways to maximize returns with rebates.
Contents
Popular coins
Latest Crypto News
