A new BlockSec case study published Feb 12, 2026 says the Trust Wallet Browser Extension v2.68 incident was enabled by a supply-chain compromise that turned the official Chrome distribution path into an attacker-controlled update channel. The case study’s core claim is simple: a malicious build of the extension was uploaded through the same channel users normally trust, and the injected logic quietly exfiltrated seed phrases, enabling multi-chain wallet drains.
Trust Wallet’s own investigation update states an unauthorized and malicious version of the browser extension (v2.68) was published to the Chrome Web Store outside the standard release process during Dec 24 to Dec 26, 2025, and it notes the impact was about $8.5M across 2,520 affected wallet addresses. That official timeline and scope are laid out in its community update and the related Trust Wallet support security notice.
The most actionable technical detail in the new BlockSec case study is how the backdoor hides in a “normal” workflow. BlockSec says the malicious behavior triggers during wallet unlock operations, where it observed a suspicious request that sends GZIP-compressed data to an attacker-controlled endpoint, which can then be decompressed to reveal seed phrases in plaintext.
BlockSec also says the attacker registered a lookalike analytics domain, metrics-trustwallet.com, and routed traffic to api.metrics-trustwallet.com. It describes a modified PostHog analytics configuration and points to a JavaScript file (4482.js) that allegedly redirects analytics payloads to the attacker infrastructure, making the exfiltration blend in with telemetry-style traffic.
That mechanism matters because it reframes the risk. This is not “user clicked a phishing link.” It is “wallet distribution and update integrity failed,” which is harder for end users to defend against in real time.
Both the Trust Wallet incident update and the BlockSec case study converge on the same enabling condition: an attacker gained access that allowed builds to be uploaded directly to the Chrome Web Store.
Trust Wallet says its investigation suggests the attacker used a leaked Chrome Web Store API key to publish the malicious build, bypassing its internal manual review controls. The post also links that exposure to an industry-wide supply-chain incident it calls “Sha1-Hulud,” describing compromised developer secrets and key access as the likely bridge from developer environment compromise to a trusted release channel.
BlockSec describes a similar chain, saying the attacker obtained the Chrome Web Store API key via a broader developer tooling compromise it refers to as “Shai-Hulud 2.0,” then uploaded the tampered extension through the official developer account path, allowing the malicious version to appear as a legitimate update.
Trust Wallet says the incident scope is limited to users who opened the browser extension v2.68 and logged in during the affected period (Dec 24 to Dec 26, 2025), and it states it does not affect mobile app users or other extension versions, nor v2.68 users who opened and logged in after Dec 26, 2025 at 11:00 UTC. Those scope boundaries, plus the count of 2,520 affected wallet addresses and 17 attacker-controlled addresses, are in the official community update.
For build identification, Trust Wallet’s support guidance names the Chrome extension ID as egjidjbpglichdcondbcbdnbeeppgdphin its security notice. The current Chrome Web Store listing shows the extension is now on a later version and was updated again on Feb 11, 2026, which gives users a concrete “installed version” check against the known-bad v2.68.
The immediate defensive posture is to treat seed phrases as compromised if they were ever entered into the affected build. Trust Wallet’s guidance is to stop using the vulnerable build and upgrade to a secure version, which is detailed step-by-step in the support notice.
For users who logged in during the exposure window, Trust Wallet’s update recommends moving funds from any at-risk wallets to a newly created wallet and following its official claim flow for reimbursement, as described in the community update. In practice, the safest operating assumption is that any wallet imported into the compromised extension should be rotated, and any downstream approvals and session keys tied to that wallet should be reviewed.
The new writeup is easy to convert into “user-action” news, but a few details remain worth pinning down before publishing a definitive explainer.
The first is the exact compromised build window and artifacts: whether Trust Wallet can map the malicious upload to a specific publish timestamp and reproducible artifacts from the Web Store side, beyond the version number and incident window in the official update.
The second is a full post-incident remediation record: what permanent controls now exist around release approvals, key storage, and publishing permissions, beyond the operational guidance in the security notice.
The third is on-chain clustering and laundering paths. The Trust Wallet investigation update references attacker-controlled addresses, and the BlockSec case study describes routing to non-KYC venues. A clean, publish-safe summary usually requires mapping those clusters with chain-by-chain context and clearly separating confirmed drains from inference.
The post How Trust Wallet Chrome Extension Backdoor Exfiltrated Seed Phrases appeared first on Crypto Adventure.
Also read: Unity Software (U) Stock Plunges 26% on Disappointing Q1 Revenue Forecast
