For business
KYT office
Compliance solution to monitor risks, detect sanctions and ensure AML rules.
KYT office
Compliance solution to monitor risks, detect sanctions and ensure AML rules.
AML certification
How industry players can get up-to-date knowledge and professional certification.
AML certification
How industry players can get up-to-date knowledge and professional certification.
Comprehensive transaction analytics that helps to build graphs and trace funds.
Graph
Travel rule
(soon)
For personal use
Telegram bot
Bot for checking crypto for risks, providing AML reports.
Telegram bot
Bot for checking crypto for risks, providing AML reports.
Getting money back
Services are focused on tracking
and recovering crypto assets.
and recovering crypto assets.
Getting money back
Services are focused on tracking
and recovering crypto assets.
and recovering crypto assets.
Docs and reports
All types of documents related
to cryptocurrency.
to cryptocurrency.
Docs and reports
All types of documents related
to cryptocurrency.
to cryptocurrency.
Portfolio tracker
Information about all assets and risk assessment in one place.
Portfolio tracker
Information about all assets and risk assessment in one place.
AML checks
Сhecking wallets and transactions
for illicit funds.
for illicit funds.
AML checks
Сhecking wallets and transactions
for illicit funds.
for illicit funds.
AML-сертификация
Актуальные знания в области AML/KYT от ведущих экспертов отрасли.
AML-сертификация
Актуальные знания в области AML/KYT от ведущих экспертов отрасли.
Graph
Визуализация перемещения активов
и связей между кошельками.
и связей между кошельками.
Graph
Визуализация перемещения активов
и связей между кошельками.
и связей между кошельками.
KYT Office
Мониторинг транзакций и кошельков для вашего отдела комплаенса.
KYT Office
Мониторинг транзакций и кошельков для вашего отдела комплаенса.
Для себя
Для Бизнеса
Travel rule
(Cкоро)
Телеграм-бот
Бот для проверки кошельков и транзакций с выдачей отчётов.
Телеграм-бот
Бот для проверки кошельков и транзакций с выдачей отчётов.
Возврат средств
Услуги по отслеживанию и возврату украденных криптоактивов.
Возврат средств
Услуги по отслеживанию и возврату украденных криптоактивов.
AML-проверки
Проверка кошельков и транзакций на наличие "грязной" криптовалюты.
AML-проверки
Проверка кошельков и транзакций на наличие "грязной" криптовалюты.
Портфолио трекер
Информация о всех активах и оценка рисков в одном месте.
Портфолио трекер
Информация о всех активах и оценка рисков в одном месте.
Отчёты
Все типы документов связанные
с криптовалютой.
с криптовалютой.
Отчёты
Все типы документов связанные
с криптовалютой.
с криптовалютой.
Table of Contents:
Trust Wallet as a Leading Self-Custody Platform and the Scale of the Incident
Chrome Extension Vulnerability and Attack Execution
$ 7M in Stolen Assets: Impact on Users and Data Exfiltration
On-Chain Tracing: From Attacker Wallets to Centralized Exchanges
Asset Recovery, Reimbursement, and 2025 Security Lessons
Trust Wallet as a Leading Self-Custody Platform and the Scale of the Incident
Chrome Extension Vulnerability and Attack Execution
$ 7M in Stolen Assets: Impact on Users and Data Exfiltration
On-Chain Tracing: From Attacker Wallets to Centralized Exchanges
Asset Recovery, Reimbursement, and 2025 Security Lessons
Binance’s Trust Wallet has long been regarded as one of the most secure and widely used brands in crypto self-custody.
By late 2025, the wallet reportedly surpassed 200 million downloads worldwide, placing it among the largest self-custody crypto wallets globally.
However, a late-December incident — estimated at roughly $7 million in stolen funds serves as another reminder that no technology is completely immune to exploitation. In today’s environment, maintaining strong personal and business cybersecurity awareness remains essential.
By late 2025, the wallet reportedly surpassed 200 million downloads worldwide, placing it among the largest self-custody crypto wallets globally.
However, a late-December incident — estimated at roughly $7 million in stolen funds serves as another reminder that no technology is completely immune to exploitation. In today’s environment, maintaining strong personal and business cybersecurity awareness remains essential.
The incident
The incident
A code vulnerability
A security flaw was identified in the Trust Wallet Chrome browser extension (version 2.68). According to reports, the compromised version contained malicious code designed to scan wallets stored in the extension and trigger mnemonic phrase requests.
Impact on users
Users running version 2.68 were exposed to immediate risk. The incident is estimated to have resulted in approximately $7 million in stolen assets.
Official response
Trust Wallet issued a security alert advising users to disable the Chrome extension version 2.68 and upgrade to version 2.69.
Data exfiltration
The malicious code allegedly extracted sensitive wallet information from affected users and transmitted it to an attacker-controlled server, enabling unauthorized access and fund theft.
A security flaw was identified in the Trust Wallet Chrome browser extension (version 2.68). According to reports, the compromised version contained malicious code designed to scan wallets stored in the extension and trigger mnemonic phrase requests.
Impact on users
Users running version 2.68 were exposed to immediate risk. The incident is estimated to have resulted in approximately $7 million in stolen assets.
Official response
Trust Wallet issued a security alert advising users to disable the Chrome extension version 2.68 and upgrade to version 2.69.
Data exfiltration
The malicious code allegedly extracted sensitive wallet information from affected users and transmitted it to an attacker-controlled server, enabling unauthorized access and fund theft.
Where the funds gone
Where the funds gone
An examination of the on-chain movement of cryptocurrency assets stolen from Trust Wallet users on Ethereum shows that the entirety of the stolen funds was funneled into the following wallet addresses:
- 0x3b09A3c9aDD7D0262e6E9724D7e823Cd767a0c74;
- 0x463452C356322D463B84891eBDa33DAED274cB40;
- 0xa42297ff42a3b65091967945131cd1db962afae4;
- 0xe072358070506a4DDA5521B19260011A490a5aaA;
- 0xc22b8126ca21616424a22bf012fd1b7cf48f02b1;
- 0x109252d00b2fa8c79a74caa96d9194eef6c99581;
- 0x30cfa51ffb82727515708ce7dd8c69d121648445;
- 0x4735fbecf1db342282ad5baef585ee301b1bce25;
- 0xf2dd8eb79625109e2dd87c4243708e1485a85655
After being credited to the attackers’ primary wallet addresses, the stolen assets were subsequently moved to intermediary wallets under the attackers’ control. From these transit addresses, the funds were then transferred to deposit addresses associated with the ChangeNOW, FixedFloat, HTX, and KuCoin cryptocurrency exchanges.
Fig. 1: Overall diagram showing how stolen assets were moved.
Fig. 2: The Graph diagram visually illustrates the flow of stolen assets as they were transferred to the ChangeNOW, FixedFloat, HTX, and KuCoin cryptocurrency exchanges.
Fig. 3: The Graph diagram visualizes all address relationships involved in the transfer of funds to the ChangeNOW exchange.
Asset recovery
Asset recovery
The positive development for affected Trust Wallet users is that the company has issued a public statement committing to fully reimburse all stolen assets. By assuming responsibility for the losses, Trust Wallet has taken an important step toward restoring user confidence that was undermined by the incident.
This case underscores a broader lesson of 2025: no system can be considered entirely secure. Cryptocurrency-related crime has evolved into highly organized and sophisticated operations capable of targeting platforms and apps that were widely regarded as secure. 2025 has become a year when attacks shifted from the classical pattern to a new destination - centralized exchanges and even cold wallets.
Earlier this year, the Financial Action Task Force (FATF) released updated guidance on asset recovery, emphasizing that the use of blockchain analytics has become essential for timely and effective recovery efforts. In this investigation, we employed BitOK’s Graph analytics platform to trace the flow of stolen funds and determine their current locations.
This case underscores a broader lesson of 2025: no system can be considered entirely secure. Cryptocurrency-related crime has evolved into highly organized and sophisticated operations capable of targeting platforms and apps that were widely regarded as secure. 2025 has become a year when attacks shifted from the classical pattern to a new destination - centralized exchanges and even cold wallets.
Earlier this year, the Financial Action Task Force (FATF) released updated guidance on asset recovery, emphasizing that the use of blockchain analytics has become essential for timely and effective recovery efforts. In this investigation, we employed BitOK’s Graph analytics platform to trace the flow of stolen funds and determine their current locations.
