Trust Wallet suffered a major security vulnerability! Do not import mnemonic phrases and upgrade to 2.69 as soon as possible, at least $6 million has been stolen

👤 transfer009@Penny 📅 2026-04-03 08:54:14

Trust Wallet confirmed this morning that browser extension version 2.68 has a fatal vulnerability, which will cause on-chain losses and users must immediately upgrade to 2.69.
(Preliminary summary: CZ retweet detonated the Trust Wallet token TWT soaring by 40%; pointing to the era of 1 billion Web3 users)
(Background supplement: What is the "Wallet as a Service" WaaS launched by Trust Wallet, analysis of advantages and disadvantages, can it become mainstream in the future? )

Cryptocurrency wallet Trust Wallet A major security alert was issued at around 6 a.m. today (26th), confirming that version 2.68 of its browser extension has a serious vulnerability, leading to the outflow of user assets. On-chain detective ZachXBT tracking shows that the number of victims has reached hundreds, and the loss was first estimated at about $6 million.

For users who haven't already updated to Extension version 2.69, please do not open the Browser Extension until you have updated. This may help to ensure the security of your wallet and prevent further issues.
— Trust Wallet (@TrustWallet) December 26, 2025

Vulnerability details and loss scale

The official notice pointed out that the affected objects are users who have installed version 2.68 extensions on the mobile version. Trust Wallet emphasized in the announcement:

"We have released a patch for version 2.69, please all browser extension users to upgrade immediately."

If you are also a Trust Wallet user and have installed version 2.68, "Please do not import the mnemonic phrase" and it is best to upgrade through the official link of the Chrome Online App Store. Mnemonic phrases imported in a contaminated environment are best treated as leaks, and it is best to create a new wallet and migrate the balance (it is recommended that assets be transferred to other brand wallets before the official problem is completely solved).

The malicious script 4482.js sneaked in through official updates

It is understood that the attacker inserted a file named 4482.js during the packaging process and claimed to be used for "Analytics". When it detects that the user enters the mnemonic phrase, it sends the data to the registered domain metrics-trustwallet.com, and then uses automated scripts to quickly withdraw assets from the EVM compatible chain, Bitcoin and Solana.

At present, individual victims have reported losses ranging from tens of thousands to hundreds of thousands of dollars. We will continue to track the official next step for potential compensation.

Label：

policy

FB X YT IG

transfer009@Penny

Blockchain and cryptoassets editor, focusing onpolicyDomain content analysis and insights

Comment (10)

Reese 86days ago

Putting assets on the chain is just the beginning, and ecology is the future.

Imani 86days ago

Are the rise and fall of currency prices related to the performance of the blockchain network itself?

Callus 86days ago

Agreed, privacy protection is becoming more and more important.

Irene 86days ago

It gives ideas on how traditional enterprises can embrace blockchain.

Connor 86days ago

The article's attitude towards supervision is somewhat naive.

Jacob 87days ago

Agreed, the developer ecosystem determines the future of the public chain.

Bess 87days ago

What does TPS of blockchain mean?

Clifford 87days ago

If the private key is lost, will the assets never be recovered?

Justin 107days ago

Developer ecological construction is the cornerstone, it is well said.

Tristan 114days ago

You’re right, user experience determines ultimate adoption.

Trust Wallet suffered a major security vulnerability! Do not import mnemonic phrases and upgrade to 2.69 as soon as possible, at least $6 million has been stolen

Vulnerability details and loss scale

The malicious script 4482.js sneaked in through official updates

transfer009@Penny

Comment (10)

Add comment

Related content

Hong Kong Cryptocurrency OTC Robbery "1 Billion Yen Moved in 30 Seconds", the police arrested 15 people including the mastermind, and the stolen money has not yet been found

Is Ethereum MEV robot money laundering? U.S. court hears case of MIT brothers for first time, 25 million mg of sandwich arbitrage involves fraud

finally? Montenegro’s Ministry of Justice orders Do Kwon to be extradited to the United States, Terra founder’s dream of returning to South Korea is shattered

About 60 BTC stolen from Odin.fun! The founder admits that he “doesn’t have enough funds to compensate” for pointing out Chinese hackers

SEC Commissioner Hester Peirce: NFT royalties do not constitute securities

The U.S. SEC indicted Don Vo, the founder of Bitcoin mining company VBit: he fraudulently raised US$95.6 million and misappropriated US$48.5 million to give gambling gifts.

Popular content

Bybit's 500,000 ETH stolen were all washed away and turned into hidden selling pressure? CEO issued an announcement clarifying: 77% of cash flow can be traced

The first case in Taiwan! Commonwealth Bank cooperates with MaiCoin to officially launch "Virtual Asset Custody Pilot Business"

Only sentenced to 3 years of probation! The 31-year-old lawyer's father is a judge, and he collaborated with the evil rich second generation to "defraud 400 million" and celebrated their success by taking drugs and having a sex party

The Dawn of DeFi Regulation》U.S. Department of Justice: Will no longer prosecute decentralized software developers for “unlicensed fund transfers”

Software company CFO misappropriated $35 million of customer funds to gamble on DeFi and lost it all

U.S. SEC Chairman: We are planning an "innovation exemption" for DeFi protocols and should not be punished for malicious use by others

Related sections

Popular content