It started as a routine software update and ended as a $7 million disaster. On December 24, users of Trust Wallet’s Chrome extension watched their balances drain in real-time, victims of a malicious script embedded directly into version 2.68 of the popular self-custody tool.
The incident has reignited a fierce debate over the security of browser-based wallets and left thousands of investors waiting for answers regarding a promised—but unverified—reimbursement plan.
Inside the “4482.js” Supply Chain Attack
Unlike high-profile bridge hacks or exchange collapses, this breach was silent and surgical. Security analysts confirm the attack didn’t target the blockchain itself or Trust Wallet’s core infrastructure. Instead, it was a classic supply-chain compromise. A malicious file, blandly labeled 4482.js, was bundled into the extension release.
The script posed as a standard analytics tool. In reality, it was a listener. As soon as a user entered their recovery seed phrase to import a wallet, the code captured the data and transmitted it to a recently registered domain, api.metrics-trustwallet[.]com.
It was a classic supply‑chain compromise, just executed at the wallet level. The code pretended to measure user behavior but was clearly built to steal secrets.
Security researchers noted the precision of the attack. There was no “staging period.” Funds were swept to attacker wallets across Bitcoin, Ethereum, and Solana almost the instant the compromised software was engaged.
The 30-Hour Gap
The technical failure was compounded by a communications blackout. While funds began moving to attacker wallets shortly after the update pushed, Trust Wallet did not formally acknowledge the exploit for roughly 30 hours. By that time, on-chain sleuths and independent researchers like ZachXBT had already traced millions in losses.
For victims, the silence was deafening.
I kept refreshing the app, hoping it was a glitch. By the time the company said anything, my coins were long gone.
Trust Wallet eventually advised users to disable the extension and update to version 2.69 to remove the malicious code, emphasizing that their mobile applications remained unaffected.
Confusion Over Reimbursements
The aftermath has been defined by conflicting narratives regarding compensation. Reports circulated quickly that Binance co-founder Changpeng “CZ” Zhao had pledged to make victims whole—an extraordinary move in an industry that typically tells users they are on their own.
However, verification remains scarce. While the sentiment ricocheted across social media, Trust Wallet has not publicly committed to a specific compensation framework at the time of writing. The discrepancy between social media rumors and corporate silence has left victims in limbo.
Right now, all we have is a tweet and a lot of fear. If there is a reimbursement plan, it needs to be spelled out clearly and fast.
The Fragility of the Browser
This hack underscores a structural weakness in the crypto ecosystem: the browser extension. While “not your keys, not your coins” remains the industry mantra, holding your own keys offers little protection if the interface used to sign transactions is compromised at the source.
The injection of a hostile script into a production build raises serious questions about Trust Wallet’s internal safeguards. Critics and rival engineers are now demanding answers on specific security failures, specifically regarding how a malicious dependency bypassed review.
The industry is now watching to see if Trust Wallet will implement three key changes:
- Introduction of reproducible builds so the community can verify binaries.
- Mandatory independent third‑party audits for extension code updates.
- Stricter release workflows with the Chrome Web Store.
Without clear answers, the breach serves as a stark reminder that even self-custody relies on a chain of trust—one that, in this case, was easily broken.
