ZachXBT Warning: Trust Wallet has a major vulnerability, official statement confirms and update completed

Trust Wallet Extension 2.68 Update Causes Systematic Theft, Hundreds of Users’ Assets Cleared Instantly, Official Confirmation and Emergency Patch

On-chain abnormal transfers emerge, ZachXBT points out that funds were instantly emptied immediately after the update

Renowned on-chain investigator ZachXBT recently issued warnings on social platforms and Telegram channels, reporting that multiple Trust Wallet users experienced unauthorized withdrawals within a short period. Most cases occurred shortly after the Chrome browser extension was updated. According to reports, users who imported their seed phrases into the new version of the extension found their assets almost immediately cleared from their wallets, with no signs of staged or delayed transfers.

Image source: ZachXBT ZachXBT warns on Telegram channels that multiple Trust Wallet users reported unauthorized fund transfers within a short time

ZachXBT pointed out that, based on on-chain data, the affected wallets show highly consistent transfer behavior patterns, indicating that this is not due to individual user errors but rather the exploitation of a systemic vulnerability. Abnormal activity concentrated within hours after the extension version 2.68.0 was launched, with highly overlapping timing.

Multi-chain assets flowing out simultaneously, estimated losses reach millions of dollars

According to on-chain records, affected assets span multiple blockchains, including Bitcoin, Ethereum, BNB Chain, and Solana. ZachXBT revealed several addresses suspected of receiving stolen funds, showing that the assets were transferred in a very short time to multiple relay wallets and further split, with transfer structures highly similar across different cases.

Based on currently available public on-chain data, the confirmed outflow amounts to at least approximately $4.3 million. Some Japanese media and community researchers believe that, if including cases not yet fully disclosed, the total loss could reach up to $6 million, with hundreds of victims. Notably, all transfers were completed instantly, with no small test transactions, indicating that the attackers have a high level of control over the process and vulnerabilities.

Trust Wallet Confirms Security Incident, Limits Impact to Specific Version

Following the incident, Trust Wallet issued an official statement confirming that this security event only affected Chrome browser extension version 2.68 and is not a widespread issue with the overall wallet system or mobile app. The official announced the urgent release of version 2.69 and urged users still using version 2.68 to disable the extension immediately and update.

Image source: X/@TrustWallet Trust Wallet releases official statement confirming that this security incident only affects Chrome extension version 2.68

Trust Wallet emphasized that users on mobile apps and other browser versions are unaffected. The team is currently conducting internal investigations and vulnerability analyses and promises to update the public as more information becomes available. However, so far, the official has not announced any specific compensation plans or fund recovery mechanisms.

Non-custodial wallet risks re-emerge, extension security becomes industry blind spot

Trust Wallet, a non-custodial wallet product under Binance’s ecosystem, promotes a security model where “users control their private keys.” However, this incident highlights that even if private keys do not leave the user’s device, the browser extension itself can still become an attack vector.

Several security researchers pointed out that the browser environment involves third-party components, update mechanisms, and permission management. Once vulnerabilities appear in extension code, they could bypass users’ defenses regarding private key security. ZachXBT also called on platforms to take responsibility and provide compensation if the source of the vulnerability is confirmed to be from official code, otherwise, it could cause long-term damage to the trust in non-custodial wallets.