Key Takeaways
1. A modified version of the Trust Wallet browser extension was uploaded to the Google Chrome Web Store just before Christmas, allowing hackers to target users.
2. The security breach was reported by ZachXBT on December 25, and Trust Wallet responded quickly, but the harmful update remained active for nearly a day.
3. The hack involved malicious software that stole passwords and biometrics, allowing thieves to access all linked wallets and send seed phrases to the hackers.
4. The setup for the attack began on December 8, 2025, with a server in Ukraine that had known ties to cybercrime, and affected users are promised compensation by Binance’s founder.
5. The timing of the attack took advantage of the holiday period when security teams are less active, making it easier for hackers to exploit vulnerabilities.
Right before Christmas, a group of hackers successfully uploaded a modified version of the Trust Wallet browser extension to the Google Chrome Web Store. This extension is essential for managing crypto wallets and supports a wide range of over 100 cryptocurrencies, such as Bitcoin, Litecoin, Dogecoin, and Tron.
Initial Discovery and Response
ZachXBT was one of the first to report the security breach on December 25, and Trust Wallet reacted swiftly to the situation. However, the harmful update managed to remain active for almost a full day. Users who had the extension version 2.68 must transfer any coins held in the app and extension to different wallets as soon as possible.
How the Hack Worked
The malicious software was embedded directly into the authentication processes for passwords and biometrics. Once users accessed their wallets, regardless of how they did so, the theft was initiated. The code scanned through all wallets linked to the account, not merely the one in use at the moment, and sent seed phrases to the hackers, who had clearly planned this breach very carefully.
Background of the Attack
The setup for the data theft was established as early as December 8, 2025, which was over two weeks before the actual breach on Christmas Eve. A Synology NAS system located in Ukraine served as the server, and the provider has a history of connections to cybercrime. Changpeng Zhao, the founder of Binance, swiftly stated that users who were affected would receive compensation. Trust Wallet also shared further information on their platform X.
Opportunistic Timing
The timing of this cyberattack likely wasn’t random. Christmas Eve presents prime opportunities for “digital intrusions,” as holiday schedules often slow down security teams. Many workplaces are left empty, and support staff is typically reduced during this time. For customers lacking advanced technical skills, it becomes challenging to seek help or support, allowing attackers to take advantage of these slower response times.
Source:
Link