Original Title: “Christmas Heist | Analysis of Trust Wallet Extension Wallet Hack”
Source: SlowMist Technology
Background
Early this morning Beijing time, @zachxbt posted a message in the channel stating, ‘Some Trust Wallet users have reported that funds in their wallet addresses were stolen in the past few hours.’ Subsequently, Trust Wallet’s official X account also released an official announcement confirming that version 2.68 of the Trust Wallet browser extension poses a security risk, urging all users of version 2.68 to immediately disable that version and upgrade to version 2.69.
Technical Tactics
Upon receiving the intelligence, the SlowMist security team promptly analyzed the relevant samples. Let’s first compare the core code of the previously released versions 2.67 and 2.68:
By diffing the code of the two versions, the malicious code added by the hacker was identified as follows:
The malicious code iterates through all wallets in the extension, sends a ‘retrieve seed phrase’ request for each user wallet to obtain the encrypted seed phrase, and finally decrypts it using the password or passkeyPassword entered by the user when unlocking the wallet. If decryption is successful, the user’s seed phrase is sent to the attacker’s domain `api.metrics-trustwallet[.]com`.
We also analyzed the attacker’s domain information; the attacker used the domain: metrics-trustwallet.com.
Upon querying, the malicious domain was registered on 2025-12-08 02:28:18, with the domain registrar: NICENIC INTERNATIONA.
On 2025-12-21, the first request records targeting api.metrics-trustwallet[.]com began to appear:
This timeline aligns closely with the backdoor implantation date of 12.22 in the code.
We continued to trace and analyze the code to reconstruct the entire attack process:
Dynamic analysis shows that after unlocking the wallet, the attacker’s seed phrase information can be seen populated in the error within R1.
The source of this Error data is obtained through a call to the GET_SEED_PHRASE function. Currently, Trust Wallet supports two unlocking methods: password and passkeyPassword. The attacker obtains the password or passkeyPassword during unlocking, then calls GET_SEED_PHRASE to retrieve the wallet’s seed phrase (private keys are handled similarly), and places the seed phrase into the ‘errorMessage’.
Below is the code that uses emit to call GetSeedPhrase, retrieves the seed phrase data, and populates it into the error.
Traffic analysis conducted with BurpSuite shows that after obtaining the seed phrase, it is encapsulated in the errorMessage field of the request body and sent to the malicious server (https[://]api[.]metrics-trustwallet[.]com), which is consistent with the earlier analysis.
Through the above process, the theft of seed phrases/private keys is completed. Additionally, the attacker is likely familiar with the extension’s source code, leveraging the open-source full-link product analytics platform PostHogJS to collect user wallet information.
Stolen Asset Analysis
(https://t.me/investigations/296)
Based on the hacker addresses disclosed by ZachXBT, our statistics show that, as of the time of writing, the total stolen assets on the Bitcoin chain amount to approximately 33 BTC (worth about 3 million USD), stolen assets on the Solana chain are valued at around 431 USD, and stolen assets on Ethereum mainnet and various Layer 2 chains are worth approximately 3 million USD. After stealing the assets, the hacker transferred and exchanged some of them using various centralized exchanges and cross-chain bridges.
Summary
This backdoor incident originated from malicious source code modifications to the Trust Wallet extension’s internal codebase (analytics service logic), rather than the introduction of tampered general third-party packages (such as malicious npm packages). The attacker directly tampered with the application’s own code, leveraging the legitimate PostHog library to redirect analytics data to a malicious server. Therefore, we have reason to believe this is a sophisticated APT attack, and the attacker may have gained control over Trust Wallet-related developer device permissions or release deployment permissions before December 8th.
Recommendations:
1. If you have installed the Trust Wallet extension wallet, you should immediately disconnect from the internet as a prerequisite for investigation and operations.
2. Immediately export your private keys/seed phrase and uninstall the Trust Wallet extension wallet.
3. After backing up your private keys/seed phrase, promptly transfer your funds to another wallet as soon as possible.
