logo

Crypto Christmas Heist: Over $6 Million Lost, Trust Wallet Chrome Extension Wallet Hacked Analysis

By: blockbeats|2025/12/26 19:30:02
0
Share
copy
Original Title: "Christmas Heist | Trust Wallet Browser Extension Wallet Hacked Analysis"
Original Source: SlowMist Technology

Background

Early this morning Beijing time, @zachxbt announced in the channel, "Some Trust Wallet users reported that funds in their wallet addresses have been stolen in the past few hours." Subsequently, Trust Wallet's official X also released an official statement confirming a security vulnerability in Trust Wallet Browser Extension version 2.68, advising all users using version 2.68 to immediately disable this version and upgrade to version 2.69.

Crypto Christmas Heist: Over $6 Million Lost, Trust Wallet Chrome Extension Wallet Hacked Analysis

Tactics

Upon receiving the intelligence, the SlowMist security team promptly conducted an analysis of the relevant samples. Let's first compare the core code of the previously released 2.67 and 2.68 versions:

By diffing the code of the two versions, we found the malicious code added by the hacker:

The malicious code will traverse all wallets in the plugin, make a "get mnemonic phrase" request for each user's wallet to obtain the user's encrypted mnemonic phrase, and finally use the password or passkeyPassword entered by the user when unlocking the wallet for decryption. If decryption is successful, the user's mnemonic phrase will be sent to the attacker's domain `api.metrics-trustwallet[.]com`.

We also analyzed the attacker's domain information; the attacker used the domain: metrics-trustwallet.com.

Upon investigation, the registration time of this malicious domain was 2025-12-08 02:28:18, and the domain registrar is: NICENIC INTERNATIONA.

Request records targeting api.metrics-trustwallet[.]com began on 2025-12-21.

This timestamp and the implantation of the backdoor with code 12.22 are roughly the same.

We continue to reproduce the entire attack process through code tracking analysis:

Through dynamic analysis, it can be seen that after unlocking the wallet, the attacker filled the mnemonic information into the error in R1.

And the source of this Error data is obtained through the GET_SEED_PHRASE function call. Currently, Trust Wallet supports two ways to unlock: password and passkeyPassword. The attacker, during the unlocking process, obtained the password or passkeyPassword, then called GET_SEED_PHRASE to obtain the wallet's mnemonic phrase (private key as well), and then placed the mnemonic phrase in the "errorMessage".

Below is the code using emit to call GetSeedPhrase to obtain the mnemonic phrase data and fill it into the error.

Traffic analysis performed through BurpSuite shows that after obtaining the mnemonic phrase, it is encapsulated in the request body's errorMessage field and sent to a malicious server (https[://]api[.]metrics-trustwallet[.]com), which is consistent with the previous analysis.

Through the above process, the theft of the mnemonic phrase/private key is completed. In addition, the attacker is also familiar with the source code and utilizes the open-source full-lifecycle product analysis platform PostHogJS to collect user wallet information.

Stolen Asset Analysis

(https://t.me/investigations/296)

According to ZachXBT's disclosed hacker address, we have calculated that as of the time of publication, the total amount of stolen assets on the Bitcoin blockchain is approximately 33 BTC (valued at around 3 million USD), the stolen assets on the Solana blockchain are valued at around 431 USD, and the stolen assets on the Ethereum mainnet and Layer 2 chains are valued at around 3 million USD. After stealing the coins, the hacker used various centralized exchanges and cross-chain bridges to transfer and exchange some of the assets.

Summary

This backdoor incident originated from a malicious code modification to the Trust Wallet extension's internal codebase (analytics service logic), rather than the introduction of a tampered third-party package (such as a malicious npm package). The attacker directly altered the application's own code, using the legitimate PostHog library to redirect analytics data to a malicious server. Therefore, we have reason to believe this was a professional APT attack, where the attacker may have gained control of Trust Wallet-related developers' device or release deployment permissions prior to December 8.

Recommendations:

1. If you have installed the Trust Wallet extension wallet, you should immediately disconnect from the internet as a prerequisite for investigation and actions.

2. Immediately export your private key/mnemonic phrase and uninstall the Trust Wallet extension wallet.

3. After backing up your private key/mnemonic phrase, promptly transfer your funds to another wallet.

Original Article Link

You may also like

The Israeli military is hunting a mole on Polymarket

「The suspect's behavior has posed a significant operational risk and will be charged with serious security offenses.」

Q4 $667M Net Loss: Coinbase Earnings Report Foreshadows Challenging 2026 for Crypto Industry?

Coinbase reports $1.8B in total revenue in Q4 2025, with a $667M loss leading to a sharp drop in stock price.

BlackRock Buying UNI, What's the Catch?

DeFi has transitioned from "Experimental Finance" to "Infrastructure Finance."

Lost in Hong Kong

When yesterday's glory becomes today's shackles, only the courage to break free from the shackles can win tomorrow.

Gold Plunges Over 4%, Silver Crashes 11%, Stock Market Plummet Triggers Precious Metals Algorithmic Selling Pressure?

An analysis suggests that metal prices experienced a sudden drop due to a suspected algorithmic trading sell-off, leading some investors to unwind their positions in commodities including gold and silver to access liquidity.

Coinbase and Solana make successive moves, Agent economy to become the next big narrative

The new war around the Agent On-chain Economy has begun.

Popular coins

Latest Crypto News

19:01

Polymarket Growth Lead: Token Airdrop Snapshot Not Yet Taken

BlockBeats News, February 13, LeGate, Head of Global Growth at Polymarket, stated in response to community questions that the Polymarket token airdrop has not yet taken place as of the snapshot.Earlier, Polymarket team members stated that the platform's next step would be to launch 1-minute markets ...
19:01

Tether Becomes Seventh-Largest Overseas Buyer of U.S. Debt in 2025, Stablecoin Regulation Battle Splits Trump Supporters

BlockBeats News, February 13th. According to the Financial Times, Tether made a net purchase of $28.2 billion in U.S. Treasury bonds in 2025, becoming the seventh largest foreign buyer. Its U.S. bond holdings, along with Circle's, now exceed those of countries like South Korea and Saudi Arabia. U.S....
19:01

Coinbase Stock Surges Over 7% in Pre-market Trading, Q4 Huge Loss Worries Likely Fully Priced In

BlockBeats News, February 13th, according to Bitget market information, Coinbase stock surged more than 7% in pre-market trading, now trading at $151.08.Earlier news, Coinbase released its 2025 financial report, with a Q4 net loss of $667 million, leading to a 7.9% drop in its stock price at the clo...
14:01

IREN will be included in the MSCI USA Index starting from the market close on February 27th.

BlockBeats News, February 13th, according to official sources, IREN Limited announced that the company will be included in the MSCI USA Index starting from the close of February 27, 2026.The MSCI USA Index measures the performance of the large and mid-cap segments of the US equity market, covering a...
14:01

"‘DASH’s Biggest Short’ Single-Coin Unrealized Gain Surpasses $5.1 Million"

BlockBeats News, February 13th, according to HyperInsight monitoring, the "DASH Largest Short" is currently still shorting 138,776.38 DASH with 5x leverage, with an average position price of $71.41, a single coin unrealized gain of $5.172 million, and no other token positions in the address.
Read more
Community
iconiconiconiconiconiconicon

Customer Support Bot@WEEX_support_smart_Bot

VIP Servicessupport@weex.com