Trust Wallet suffered a major security vulnerability! Do not import mnemonic phrases and upgrade to 2.69 as soon as possible, at least $6 million has been stolen

👤 energys@Penny 📅 2026-02-09 04:20:17

Trust Wallet confirmed this morning that browser extension version 2.68 has a fatal vulnerability, which will cause on-chain losses and users must immediately upgrade to 2.69.
(Preliminary summary: CZ retweet detonated the Trust Wallet token TWT soaring by 40%; pointing to the era of 1 billion Web3 users)
(Background supplement: What is the "Wallet as a Service" WaaS launched by Trust Wallet, analysis of advantages and disadvantages, can it become mainstream in the future? )

Cryptocurrency wallet Trust Wallet A major security alert was issued at around 6 a.m. today (26th), confirming that version 2.68 of its browser extension has a serious vulnerability, leading to the outflow of user assets. On-chain detective ZachXBT tracking shows that the number of victims has reached hundreds, and the loss was first estimated at about $6 million.

For users who haven't already updated to Extension version 2.69, please do not open the Browser Extension until you have updated. This may help to ensure the security of your wallet and prevent further issues.
— Trust Wallet (@TrustWallet) December 26, 2025

Vulnerability details and loss scale

The official notice pointed out that the affected objects are users who have installed version 2.68 extensions on the mobile version. Trust Wallet emphasized in the announcement:

"We have released a patch for version 2.69, please all browser extension users to upgrade immediately."

If you are also a Trust Wallet user and have installed version 2.68, "Please do not import the mnemonic phrase" and it is best to upgrade through the official link of the Chrome Online App Store. Mnemonic phrases imported in a contaminated environment are best treated as leaks, and it is best to create a new wallet and migrate the balance (it is recommended that assets be transferred to other brand wallets before the official problem is completely solved).

The malicious script 4482.js sneaked in through official updates

It is understood that the attacker inserted a file named 4482.js during the packaging process and claimed to be used for "Analytics". When it detects that the user enters the mnemonic phrase, it sends the data to the registered domain metrics-trustwallet.com, and then uses automated scripts to quickly withdraw assets from the EVM compatible chain, Bitcoin and Solana.

At present, individual victims have reported losses ranging from tens of thousands to hundreds of thousands of dollars. We will continue to track the official next step for potential compensation.

Label：

policy

FB X YT IG

energys@Penny

Blockchain and cryptoassets editor, focusing onpolicyDomain content analysis and insights

Comment (10)

Vicky 28days ago

At present, the industry still needs technology to promote.

Orion 28days ago

The vision of "Internet of Value" is currently unaffordable.

Stanley 28days ago

How is the double-spend problem solved in Bitcoin?

Edmund 29days ago

Looking forward to more industry trend analysis.

Paul 29days ago

The views are rational and the analysis is good.

John 29days ago

Developer ecological construction is the cornerstone, it is well said.

Gianna 40days ago

What is the "Lightning Network"?

Austin 46days ago

In the future, blockchain will be more popular but more invisible.

Michael 47days ago

Layer2 solutions are indeed increasingly important.

Yasmine 55days ago

At present, blockchain still needs to solve experience problems.

Trust Wallet suffered a major security vulnerability! Do not import mnemonic phrases and upgrade to 2.69 as soon as possible, at least $6 million has been stolen

Vulnerability details and loss scale

The malicious script 4482.js sneaked in through official updates

energys@Penny

Comment (10)

Add comment

Related content

Chinese police: The virtual currency involved in the case is now sold through the Hong Kong Exchange and turned over to the state treasury

Hollywood director Carl Rinsch misappropriated Netflix investments to speculate in stocks and currencies. He once made $27 million in Dogecoin and now faces a 90-year sentence.

Polymarket admits that user funds have been stolen, and "one-click login" third-party services have become a vulnerability

The Bank of England's plan to "limit stablecoin holdings" has caused public outrage: It will not work at all and will only fall behind the global encryption competition.

Chainalysis report: North Korean hackers stole US$2 billion in crypto assets in 2025, with Bybit becoming the biggest victim

An American man concealed "$345 million in Bitcoin" hidden in the evidence hard drive! FBI directly formatted it. The private key was broken.

Popular content

Pump.fun accused of gambling organization crime! Solana Labs and foundation executives were named as defendants, and Jito, who engaged in MEV, was not spared either.

South Korea’s health insurance executive embezzled 4.6 billion won in public funds and lost all money by “playing with cryptocurrency contracts”! Sentenced to 15 years

Musk wants all U.S. civil servants to “explain what they did last week or else they’ll be fired”! All major government agencies ordered: Ignore him

Only sentenced to 3 years of probation! The 31-year-old lawyer's father is a judge, and he collaborated with the evil rich second generation to "defraud 400 million" and celebrated their success by taking drugs and having a sex party

The founder of Tornado Cash mixer is out of jail! Court suspends Alexey Pertsev’s pretrial detention, V God retweeted support

Retail investors cry! Brazil cancels cryptocurrency tax exemption and levies a unified income tax of 17.5%

Related sections

Popular content