The Trust Wallet Chrome extension, a multi-chain, non-custodial cryptocurrency wallet with approximately one million users, suffered a severe security incident due to malicious code introduced in version 2.68. This malicious code was not from a third-party dependency but was directly inserted into the extension's internal codebase, specifically within the analytics logic. The attacker leveraged the open-source posthog-js analytics library to exfiltrate sensitive user data. Upon wallet unlock, the malicious code iterated through all stored wallets, requesting mnemonic phrases, which were decrypted using the user's password or passkey. These decrypted mnemonic phrases were then sent to an attacker-controlled server at api.metrics-trustwallet[.]com, a domain registered shortly before the attack commenced. The attacker successfully stole approximately $7 million in cryptocurrencies, including about $3 million in Bitcoin, over $3 million in Ethereum, and a smaller amount in Solana. The stolen assets were moved through centralized exchanges such as ChangeNOW, FixedFloat, and KuCoin, as well as cross-chain bridges, to obfuscate the trail and launder the funds. The breach likely resulted from compromised developer devices or insider access, as indicated by the direct tampering of the extension's codebase and deployment permissions. Trust Wallet has urged users to update to version 2.69 immediately and avoid interacting with unofficial communications. The company is prioritizing refunds for affected users. This incident highlights a sophisticated supply chain attack vector, combining insider threat elements with abuse of legitimate analytics tools to evade detection.

European organizations and individual users relying on the Trust Wallet Chrome extension face significant financial risks due to potential theft of cryptocurrency holdings. The breach compromises the confidentiality and integrity of wallet mnemonic phrases, effectively granting attackers full control over affected wallets. This can lead to irreversible financial losses, undermining trust in cryptocurrency management tools. Given the extension's user base of approximately one million, including European users, the scale of impact could be substantial. Organizations involved in cryptocurrency trading, asset management, or blockchain development may experience operational disruptions and reputational damage if their employees or systems are compromised. The laundering of stolen funds through centralized exchanges complicates tracking and recovery efforts, increasing the challenge for European law enforcement and regulatory bodies. Furthermore, the incident underscores vulnerabilities in software supply chains and insider threats, which could have broader implications for European cybersecurity posture, especially in fintech sectors. The attack also raises concerns about the security of browser extensions as vectors for large-scale data exfiltration and financial theft.

1. Immediate update of the Trust Wallet Chrome extension to version 2.69 for all users to eliminate the malicious code. 2. Organizations should audit and restrict access to developer environments and deployment pipelines to prevent insider threats and unauthorized code modifications. 3. Implement strict code review and integrity verification processes for all software releases, especially for browser extensions handling sensitive data. 4. Monitor network traffic for unusual connections to suspicious domains, particularly those mimicking legitimate analytics services. 5. Educate users to avoid interacting with unofficial messages or phishing attempts related to Trust Wallet or cryptocurrency transactions. 6. Employ endpoint detection and response (EDR) solutions to identify anomalous behaviors indicative of credential or mnemonic phrase theft. 7. Collaborate with centralized exchanges to flag and freeze suspicious transactions linked to the breach. 8. Enhance supply chain security by integrating multi-factor authentication and hardware security modules (HSMs) for developer and deployment access. 9. Conduct regular threat hunting exercises focusing on insider threat indicators and anomalous codebase changes. 10. Encourage users to migrate funds to new wallets with fresh mnemonic phrases post-incident to prevent further compromise.