Malicious Code Discovered in Trust Wallet Extension
Akinator security analysts reported that the latest update of the Trust Wallet browser extension contains hidden malicious code that quietly exfiltrates sensitive wallet data. The stolen information was sent to a fake analytics domain metrics-trustwallet.com, which was registered only a few days before the attack and has since gone offline.
The domain name was crafted to closely resemble legitimate Trust Wallet infrastructure, making the activity extremely difficult for users to detect in real time.
How the Attack Works
According to the investigation, the malware actively monitors user interactions inside the extension. It is known to trigger specifically during the import of a seed phrase, a moment when users enter their most critical recovery credentials.
Given the scale of losses, estimated at over $6 million across hundreds of victims, researchers believe the exploit may also activate in additional scenarios beyond just seed phrase imports.
Scope of the Damage
Blockchain analysis linked multiple drained wallets to the malicious infrastructure. Funds were rapidly transferred after wallet compromise, suggesting that the attackers operated an automated theft system connected directly to the exfiltrated data stream.
The short lifespan of the phishing domain indicates that the attackers intended to minimize detection windows before rotating infrastructure.
What Users Should Do Immediately
Users who recently installed or updated the Trust Wallet browser extension are advised to take urgent action:
– Remove the extension immediately
– Transfer remaining funds to a new wallet created on a clean device
– Never reuse compromised seed phrases
– Monitor wallet activity for any unauthorized transactions
Trust Wallet has not yet released a detailed post-mortem at the time of publication.
Growing Risks in Browser Wallet Extensions
This incident highlights a broader systemic risk in browser-based wallet software. Supply-chain style attacks, where malicious code is injected into legitimate updates, are becoming more frequent and increasingly difficult to detect without advanced monitoring.
Security experts now recommend minimizing exposure to browser extensions for long-term storage and using hardware wallets for any meaningful balances.
BTCUSA Insight
This attack is not about Trust Wallet alone. It reflects a structural weakness across the entire browser wallet ecosystem. As crypto adoption grows, attackers are no longer targeting users directly — they are targeting the software update pipeline itself. The next phase of wallet security will be defined by how well projects can protect their distribution channels, not just their smart contracts.
