Key Takeaways:
Trust Wallet has confirmed a severe security breach isolated to version 2.68 of its browser extension.
On-chain analysts report that attackers exploited the flaw to drain over $6 million from users immediately after they entered their seed phrases.
Users must upgrade to v2.69 immediately and migrate all assets to a completely new wallet if they interact with the compromised version.
Trust Wallet has officially confirmed a critical security incident involving version 2.68 of its desktop browser extension. The announcement follows a wave of reports from users who watched their assets “evaporate” within hours, marking one of the most significant hot wallet security breaches in recent months.
Isolating the Scope of Impact and Estimated Financial Losses
In its latest statement, the Trust Wallet team emphasized that the vulnerability is strictly contained within Trust Wallet Browser Extension version 2.68. Older versions and the core mobile application are confirmed to be safe and unaffected.
However, the financial damage is substantial. According to ZachXBT, a prominent on-chain sleuth, the vulnerability allowed attackers to siphon assets directly from user wallets moments after the recovery phrase (seed phrase) was entered. Initial estimates place the total loss at over $6 million, with hundreds of individual addresses falling victim to the exploit.
Understanding the Attack Mechanism and Rapid Fund Movement
Preliminary technical reports suggest that while the v2.68 update was an official release, it contained a critical flaw in its WebAssembly (Wasm) handling of seed phrases. This vulnerability effectively created a backdoor, allowing hackers to read private keys and execute immediate sweep commands.
The attackers moved with extreme speed. A significant portion of the stolen funds was laundered through flash loan protocols to obscure the trail before being deposited into centralized exchanges (CEXs). Sources indicate that over $4 million was cycled through CEXs in a short window, making asset recovery notoriously difficult.
Crypto wallets are hacked and have been sent to unknown addresses
Immediate User Recommendations: Migration Is Mandatory
Trust Wallet has issued a “red alert,” urging all users currently running Browser Extension v2.68 to take two mandatory steps:
Disable the extension immediately and update to the patched version 2.69.
Create a fresh wallet: If you entered your seed phrase into extension v2.68, you must treat that wallet as compromised. It is critical to move all assets to a new wallet address with a new recovery phrase, even if no unauthorized transactions have occurred yet.
Recurring Extension Vulnerabilities Highlight Security Trade-offs
This is not the first time Trust Wallet’s browser extension has faced severe issues. In 2022, an entropy/Wasm vulnerability allowed private keys to be deduced from wallet addresses, resulting in a loss of approximately $170,000. The recurrence of such issues raises serious questions about the Quality Assurance (QA) processes for browser-based updates.
Security experts reiterate that extension-based wallets inherently possess a larger “attack surface” compared to hardware wallets or native mobile apps. Their reliance on browser environments, WebAssembly, and third-party JavaScript libraries makes them more susceptible to deep exploits.
Investor Advice: Prioritize Cold Storage for significant capital. Extension wallets should be reserved for small amounts used in daily DeFi activities, and users must exercise extreme caution when inputting seed phrases into any browser interface.
Read Next: Solana Foundation Rolls Out ConnectorKit: A “Headless” SDK to Streamline Wallet Integration for dApp Developers