Trust Wallet founder, CZ vows to refund $7 million lost in Christmas Day hack

Trust Wallet has pledged to cover roughly $7 million in customer funds lost in a Christmas Day exploit, its founder, Changpeng Zhao, confirmed on the social platform X. The sudden breach has rattled part of the crypto community. Still, Zhao’s swift assurance aims to steady nerves and restore confidence in the popular self-custodial wallet.

The incident unfolded on December 25, when a compromised version of the Trust Wallet browser extension was used to drain assets from users’ wallets. 

Early investigations suggest the malicious code was active in version 2.68 of the extension, prompting unauthorised transfers across multiple blockchains, including Ethereum, Bitcoin and Solana. Within hours, on-chain data showed funds being siphoned away to unknown addresses, with losses quickly approaching $7 million.

In a post on X on Friday, Zhao emphasised that “user funds are SAFU,” using the popular crypto industry acronym for Secure Asset Fund for Users. He said Trust Wallet will reimburse affected users for their losses. The team is continuing to investigate exactly how the attackers were able to upload and distribute the compromised extension.

The wallet provider also described the breach as limited to the browser extension. Trust Wallet urged users to disable the compromised version immediately and update to the fixed release, version 2.69, available via the official Chrome Web Store.

Mobile app users and those using other extension versions were reportedly not affected.

How the Trust Wallet exploit played out

Security researchers and on-chain analysts have begun piecing together a timeline of the attack. Initial signs of preparation by the threat actors date back to early December, according to cybersecurity firm SlowMist. Their reporting indicates that malicious code was embedded into the extension build before going live, suggesting a carefully planned exploit rather than a simple automated attack.

Once live on Christmas Day, the compromised extension collected sensitive user data, including seed phrases, and transmitted it to a remote server controlled by the attackers. Victims who imported a seed phrase into the extension saw their wallets drained in a matter of minutes, even if they had followed common security practices.

Across the crypto community, on-chain sleuths flagged hundreds of wallets affected by the breach. The rapid movement of assets through mixing services complicated efforts to trace stolen funds, making recovery efforts challenging.

The broader market felt the shock of the news, coming at a time when crypto prices were already under pressure. Despite the relatively modest size of the loss compared with massive exchange hacks this year, the incident has drawn fresh scrutiny to browser-based wallet infrastructure and supply chain security.

Meanwhile, Zhao’s public promise to cover the losses was intended to reassure users that the incident would not result in personal financial loss. His message emphasised that affected funds will be reimbursed from Trust Wallet’s reserves, and that the issue appears to be confined to the compromised extension.

Some industry observers have raised questions about how the malicious version passed through review and was distributed via official channels.

There are early suggestions that the breach may involve a supply chain compromise or even insider knowledge, given how the altered code was able to slip into the official release. These suggestions have sparked debate across forums and social platforms, with some users voicing concerns about internal controls and review processes.

Trust Wallet has responded by prioritising the release of the patched extension and asking users to update immediately. It has also been recommended that those affected generate new seed phrases and migrate assets to secure environments.

The post Trust Wallet founder, CZ vows to refund $7 million lost in Christmas Day hack first appeared on Technext.