Trust Wallet’s Emergency Chrome Alert: Hidden Scripts Are Stealing Private Keys Right Now
Trust Wallet just dropped an emergency warning for Chrome users—and it's not a drill. A hidden script is actively harvesting private keys, turning routine browser sessions into a crypto heist.
The Invisible Threat in Your Browser
Forget obvious malware. This attack leverages a stealth script embedded in seemingly normal web pages. It doesn't need you to download anything. Just visit the wrong site while your wallet extension is active, and it can silently siphon your private keys—the master keys to your entire crypto fortune. Trust Wallet's warning underscores a brutal truth: the browser, your gateway to DeFi and NFTs, is now a critical attack vector.
Why Chrome Users Are on the Front Line
Chrome's dominance and deep integration with wallet extensions make it a prime target. The script exploits this very connection. It's a chilling reminder that convenience and risk are two sides of the same coin. While the team scrambles with mitigations, the onus falls on users. The old rules—don't click shady links—aren't enough. Now, every new tab carries potential weight.
The New Security Playbook
This isn't about fear; it's about a fundamental shift. Hardware wallets are moving from "best practice" to non-negotiable for any serious holdings. Dedicated browsers or profiles for crypto activity are no longer just for power users. Blindly connecting your wallet to every dApp is an invitation to disaster. The ecosystem's growth has painted a giant target on its back, and the attacks are evolving faster than many users' habits.
It's a stark, cynical reminder: in crypto, you're not just your own bank—you're also the entire security detail, audit team, and fraud department. And sometimes, the walls have ears. Or in this case, scripts.
Researchers flag elevated risks tied to Trust Wallet browser extension update
BleepingComputer said researchers and incident trackers tied the highest risk to users who imported or entered a seed phrase after installing the affected version. A seed phrase can unlock current and future addresses derived from it.
The outlet also reported that researchers reviewing the 2.68 bundle flagged suspicious logic in a JavaScript file, including references to a file labeled “4482.js.”
They said the logic could transmit wallet secrets to an external host. Researchers also cautioned that technical indicators were still being assembled as investigators published their findings.
The same coverage warned of secondary scams, including copycat “fix” domains. Those lures attempt to trick users into handing over recovery phrases under the guise of remediation.
For users, the difference between upgrading and remediating matters.
Updating to 2.69 can remove suspected malicious or unsafe behavior from the extension going forward. It does not automatically protect assets if a seed phrase or private key was already exposed.
In that case, standard incident response steps include moving funds to new addresses created from a new seed phrase. Users should also check for and revoke token approvals where feasible.
Users should treat any system that handled the phrase as suspect until it is rebuilt or verified clean.
Those actions can be operationally costly for retail users. They require re-establishing positions across chains and applications.
In some cases, they also force a choice between speed and precision when gas costs and bridging risks are part of the recovery path.
The episode also puts focus on the browser extension trust model.
Extensions sit at a sensitive seam between web apps and signing flows
Any compromise can target the same inputs users rely on to verify a transaction.
Academic research on Chrome Web Store extension detection has described how malicious or compromised extensions can evade automated review. It has also described how detection can degrade as attacker tactics change over time.
According to an arXiv paper on supervised machine-learning detection of malicious extensions, “concept drift” and evolving behaviors can erode the effectiveness of static approaches. That point becomes more concrete when a wallet extension update is suspected of harvesting secrets through obfuscated client-side logic.
Trust Wallet’s next disclosures will set the boundaries for how the story settles.
A vendor post-mortem that documents root cause, publishes verified indicators (domains, hashes, bundle identifiers), and clarifies scope WOULD help wallet providers, exchanges, and security teams develop targeted checks and user instructions.
Absent that, incident totals tend to remain unstable. Victim reports can arrive late, on-chain clustering can be refined, and investigators can still be resolving whether separate drainers share infrastructure or are opportunistic copycats.
Token markets reflected the news with movement but not a single-direction repricing.
The latest quoted figures provided for Trust Wallet Token (TWT) showed a last price of $0.83487, up $0.01 (0.02%) from the prior close. The figures showed an intraday high of $0.8483 and an intraday dip to $0.767355.
| Last price | $0.83487 |
| Change vs. prior close | +$0.01 (+0.02%) |
| Intraday high | $0.8483 |
| Intraday low | $0.767355 |
Loss accounting remains in flux. The current best-public anchor is the $6 million to $7 million-plus range reported in the first 48 to 72 hours after 2.68 circulated.
That range can still shift for routine reasons in theft investigations
Those include delayed victim reporting, address reclassification, and improved visibility into cross-chain swaps and cash-out routes.
A practical forward range over the next two to eight weeks can be framed as scenarios tied to measurable swing variables. Those include whether the compromise path was confined to seed entry on 2.68, whether additional capture paths are confirmed, and how quickly copycat “fix” lures are removed.
| Contained | $6M–$12M | 40% |
| Moderate expansion | $15M–$25M | 35% |
| Severe revision | > $25M | 25% |
The incident lands amid broader scrutiny of how retail-facing crypto software handles secrets on general-purpose devices.
2025 theft reporting has been large enough to draw policy and platform attention.
Incidents tied to software distribution also reinforce calls for build integrity controls, including reproducible builds, split-key signing, and clearer rollback options when a hotfix is needed.
For wallet extensions, the near-term practical outcome is simpler. Users must decide whether they ever entered a seed phrase while 2.68 was installed, because that single action determines whether upgrading is enough or whether they need to rotate secrets and MOVE funds.
Trust Wallet’s guidance remains to disable the 2.68 extension and upgrade to 2.69 from the Chrome Web Store.
Users who imported or entered a seed phrase while running 2.68 should treat that seed as compromised and migrate assets to a new wallet.
Trust Wallet has now confirmed that approximately $7 million was impacted in the v2.68 Chrome extension incident and that it will refund all affected users.
In a statement posted on X, the company said it is finalizing the refund process and will share instructions on next steps “soon.” Trust Wallet also urged users not to interact with messages that do not come from its official channels, warning that scammers may attempt to impersonate the team during the remediation effort.
