ZachXBT flags suspected Trust Wallet extension issue as users report drained funds

ambcryptoPublished on 2025-12-25Last updated on 2025-12-25

Abstract

Security concerns emerged around the Trust Wallet browser extension on December 25, after blockchain investigator ZachXBT flagged suspicious activity potentially linked to a recent update. Reports suggest a supply-chain compromise may have been introduced in a December 24 update, where newly added code could silently exfiltrate sensitive wallet data—particularly during seed phrase imports—leading to immediate fund draining. Multiple users reported losses, with unverified estimates exceeding $2 million. The malicious code allegedly sent data to a recently registered external domain mimicking Trust Wallet infrastructure. The issue appears limited to the browser extension, with no evidence of mobile app compromise. Trust Wallet has not yet issued an official response or advisory. Researchers emphasize the situation remains under investigation, warning users to avoid importing seed phrases into the extension until clarified. If confirmed, this would represent a significant supply-chain attack.

Security concerns have emerged around the Trust Wallet browser extension on 25 December, after blockchain investigator ZachXBT flagged suspicious activity potentially linked to a recent update, prompting warnings from developers and security-focused accounts.

According to posts circulating on X, the issue may stem from a suspected supply-chain compromise introduced in a 24 December browser extension update.

Newly added code within the extension could silently exfiltrate sensitive wallet data when users import a seed phrase. The claims suggest that this has led to immediate wallet draining.

Alleged Trust Wallet malicious code and data exfiltration claims

Developers examining the extension allege that a JavaScript file added in the update contains logic disguised as analytics.

The code is said to activate specifically when a seed phrase is imported. It then silently transmits wallet-related data to an external domain designed to resemble official Trust Wallet infrastructure.

The domain referenced in the reports was reportedly registered only days ago and has since gone offline.

Researchers argue that its recent creation and the timing of the extension update raise concerns about a coordinated supply-chain attack rather than user-side phishing.

Users report wallet drains following seed imports

Multiple users have reported wallets being drained shortly after importing seed phrases into the Trust Wallet browser extension.

Publicly shared estimates suggest that more than $2 million may have been lost. Although these figures have not been independently verified.

Analysts indicate that funds were routed through multiple addresses, a pattern more commonly associated with automated exploitation than isolated user error.

Scope appears limited to browser extension

At this stage, there is no indication that Trust Wallet’s mobile applications are affected.

The warnings circulating online are focused specifically on the browser extension. This is where update mechanisms and third-party dependencies present higher supply-chain risk.

Users are advised not to import seed phrases into the Trust Wallet browser extension until further clarification is provided.

No official response from Trust Wallet yet

As of the time of writing, Trust Wallet has not issued any public response, clarification, or security advisory addressing the allegations.

There has been no confirmation or denial of the claims, nor any announcement of an extension, rollback, or emergency patch.

Investigation ongoing

Researchers have emphasized that the situation remains under active investigation. Conclusions should not be drawn until the extension code and related on-chain activity have been fully reviewed.

If confirmed, the incident would represent a serious supply-chain compromise.

This is a class of attack that differs significantly from phishing or user-side mistakes. Also, it has historically resulted in rapid, large-scale losses across the crypto ecosystem.

Final Thoughts

  • The allegations point to a potentially serious supply-chain risk affecting wallet extensions, underscoring how code updates can become a critical attack vector if compromised.
  • With no response yet from Trust Wallet, users and researchers are left relying on independent investigation as scrutiny around the incident continues.

Related Questions

QWhat security concern was flagged by ZachXBT regarding the Trust Wallet browser extension?

AZachXBT flagged suspicious activity potentially linked to a recent update of the Trust Wallet browser extension, suggesting it could be a supply-chain compromise that leads to the silent exfiltration of sensitive wallet data and immediate draining of funds.

QHow does the suspected malicious code in the Trust Wallet extension allegedly operate?

AThe malicious JavaScript code, added in an update and disguised as analytics, is said to activate when a user imports a seed phrase. It then silently transmits wallet-related data to an external domain designed to look like official Trust Wallet infrastructure.

QWhat is the estimated financial impact based on user reports, and how were the funds moved?

APublicly shared estimates suggest that more than $2 million may have been lost, though this is unverified. Analysts indicate the funds were routed through multiple addresses, a pattern associated with automated exploitation rather than isolated user error.

QAre Trust Wallet's mobile applications also affected by this suspected compromise?

ANo, there is no indication that Trust Wallet’s mobile applications are affected. The warnings are specifically focused on the browser extension, which has higher supply-chain risk due to its update mechanisms and third-party dependencies.

QWhat is the current status of Trust Wallet's official response to these allegations?

AAs of the time the article was written, Trust Wallet had not issued any public response, clarification, or security advisory addressing the allegations. There has been no confirmation, denial, or announcement of an emergency patch.

Related Reads

Morgan Stanley Digital Asset Head: Bitcoin Reaching $1M Would Not Be Surprising, But a Real Catalyst Might Require a Crisis That Shatters the Old System

Summary: In a podcast interview, Morgan Stanley's Head of Digital Asset Strategy, Amy Oldenburg, discusses Bitcoin's potential and institutional adoption. She argues Bitcoin's next major surge might require a catalyst—a crisis that shatters the traditional financial system, after which Bitcoin could emerge as the only intact asset. While she sees a $1 million price as possible within five years, she expects slower, more stable growth. Oldenburg traces Bitcoin's logic to her experience in emerging markets, where decentralized mobile money (like M-Pesa) provided critical financial security where traditional banks failed. She notes that early Bitcoin adopters often came from international finance, seeking alternatives to centralized systems. Regarding institutions, she explains that Morgan Stanley, as a bank holding company, faces stricter regulatory hurdles than pure asset managers like BlackRock. While client demand drove their Bitcoin ETP launch (MSBT), which set a firm record, most financial advisors remain hesitant due to Bitcoin's recent price stagnation and volatility. She identifies an education gap as a major barrier, with many advisors and clients not understanding the differences between various crypto assets or between holding spot Bitcoin versus an ETP. Oldenburg also discusses the tension between Bitcoin's cypherpunk, self-custody ethos and the convenience of centralized financial products, acknowledging the value of both approaches. She concludes that the digital asset space is still in its early stages, with a long journey ahead involving more complex products and technologies.

marsbit1m ago

Morgan Stanley Digital Asset Head: Bitcoin Reaching $1M Would Not Be Surprising, But a Real Catalyst Might Require a Crisis That Shatters the Old System

marsbit1m ago

Cursor: Why Did It Board Elon Musk's Rocket?

SpaceX announced its first major acquisition after its historic IPO: a $60 billion all-stock deal to acquire AI programming startup Cursor (parent company Anysphere). Cursor is a popular AI coding assistant that allows developers to switch between models from OpenAI, Anthropic, Google, and others. Founded in 2022 by MIT graduates including CEO Michael Truell, Cursor saw explosive revenue growth, reaching a $4 billion annualized run rate by early 2026. However, its market share had declined as key supplier Anthropic launched its own competing product, Claude Code. Facing dependency risks, Cursor decided to build its own AI model, Composer, but lacked the necessary computing power. In April 2026, Cursor and SpaceX revealed a partnership and an option agreement: SpaceX could acquire Cursor for $60 billion post-IPO, or pay a breakup fee and provide substantial computing resources. After SpaceX's successful IPO, it exercised the option. The deal gives Cursor access to SpaceX's massive "Colossus" supercomputer, while SpaceX gains Cursor's strong foothold among elite software engineers to boost its AI capabilities, as Musk's xAI model Grok lags in programming. The acquisition aligns with SpaceX's broader AI and orbital data center ambitions, as Musk targets $1 trillion in revenue by 2030. For Truell, who once aimed to build an enduring independent company, joining SpaceX represents a monumental bet on an unprecedented scale.

marsbit2m ago

Cursor: Why Did It Board Elon Musk's Rocket?

marsbit2m ago

SpaceX IPO Unlock Timeline

SpaceX (stock symbol: SPCX) shares have been rising strongly since its IPO, largely due to extremely low immediate float. Currently, only about 4.2% of total shares are freely tradable, locking approximately 96% of the equity. However, a series of share unlock events are scheduled, which could increase selling pressure. After the Q2 earnings report, up to 30% of locked shares may be released. Following that, an additional 7% is set to unlock approximately every 15 days. After the Q3 earnings report, another 28% will be released. The final remaining locked shares are scheduled for full release on December 9th, which is 180 days after the IPO. It is noted that Elon Musk's personal holdings are subject to a longer lock-up period and are not included in these early unlock phases.

marsbit4m ago

SpaceX IPO Unlock Timeline

marsbit4m ago

US-Iran Memorandum Signing Sets Up Macro Catalyst For Bitcoin Traders

Bitcoin traders are watching a potential macro catalyst as the US and Iran are scheduled to sign a memorandum on June 19, 2026, in Switzerland, with Qatar and Pakistan mediating. While not a crypto event, the agreement's relevance lies in its potential impact on geopolitics, oil prices, and inflation expectations—key factors for Bitcoin as a high-beta risk asset. The MoU addresses military operations, sanctions, and reopening the Strait of Hormuz, a critical oil transit route. A successful diplomatic step could ease oil market stress, cool inflation fears, and boost risk appetite, potentially supporting Bitcoin. Conversely, stalled talks or disappointing terms could limit any positive effect. The immediate market test will likely show in oil prices, the US dollar, and equity futures, with Bitcoin reacting indirectly based on shifting liquidity expectations and investor psychology. Traders should monitor the event for changes in broader market uncertainty and risk sentiment, rather than treating it as a direct, standalone catalyst for BTC.

bitcoinist5m ago

US-Iran Memorandum Signing Sets Up Macro Catalyst For Bitcoin Traders

bitcoinist5m ago

Wintermute Market Weekly: Iran War Ends, Inflation Meets Expectations, BTC Rebounds to Lower 60ks But Don’t Rush to Buy the Dip

**Wintermute Market Weekly: BTC Rebounds to $60K Lows, But Caution Advised** This week saw a broad market rebound, primarily driven by two converging factors: a US CPI inflation reading that met expectations (4.2% YoY) and former President Trump's announcement of a deal to end the Iran conflict. The latter triggered a sharp drop in oil prices, reducing geopolitical risk premiums and easing inflation fears. Consequently, risk assets like equities and cryptocurrencies rallied, with Bitcoin recovering from lows around $60,000 to close the week up 1.9%, while altcoins gained 3.1%. Despite the price bounce, the underlying liquidity picture for crypto remains weak. Key funding channels—stablecoin flows, ETF inflows, and Digital Asset Treasury (DAT) activity—show no signs of structural improvement. ETF outflows recently hit a record streak, and DAT assets have declined significantly. The rally from $60K to $83K earlier is now viewed as a bear-market rally that has failed. The current environment is characterized by low directional conviction and choppy, range-bound trading, likely persisting into summer. The report advises caution against aggressively buying the dip. While the $60K area offers attractive long-term risk/reward, a sustained bull run requires a visible turnaround in capital inflows, which hasn't materialized. The upcoming FOMC meeting and Powell's commentary, alongside the formal Iran deal signing, are noted as near-term catalysts. The core takeaway is to watch fund flows rather than price action and avoid being whipsawed by volatility before clear signs of institutional or retail capital returning emerge.

marsbit16m ago

Wintermute Market Weekly: Iran War Ends, Inflation Meets Expectations, BTC Rebounds to Lower 60ks But Don’t Rush to Buy the Dip

marsbit16m ago

Trading

Spot
Futures
活动图片