2025-12-26 14:23:46

Trust Wallet browser extension experienced a supply chain attack in version v2.68. Hackers embedded malicious code disguised as the PostHog analytics tool to successfully intercept users' imported seed phrases. Within just a few hours, hundreds of wallets were quickly emptied, with confirmed losses exceeding $7 million.

The severity of this incident lies in its stealthiness—malicious code was disguised very similarly to common data analysis libraries, making it difficult to detect. Victimized users had no idea that their seed phrases were being stolen in real-time during wallet import.

A major exchange's official statement followed, indicating that affected users would receive full compensation and that their funds are secure. This promise served as a timely reassurance.

However, the incident also exposed a long-standing issue: although non-custodial wallets claim to give users full control, the browser extension itself is a high-risk component. Excessive plugin permissions, high difficulty in code auditing, and multiple supply chain links—any weak point could become an entry point for attacks.

The most direct lesson is: **Browser hot wallets are not suitable for storing large amounts of funds, and seed phrases should never be imported casually**. Cold wallets and hardware wallets are the correct long-term storage solutions. If hot wallets must be used, strict limits should be enforced—only transfer what is necessary. Additionally, regularly checking plugin versions and paying attention to official security notices are crucial.

This incident once again reminds the entire community: while self-custody is important, the responsibility for self-protection must keep pace.

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

10 Likes

Reward
10
4
Repost
Share

Comment

0/400

RektRecorder

· 4h ago

$7,000,000 instantly gone, this is the cost of not using a hardware wallet --- Once again, browser plugins causing trouble, PostHog is disguising itself quite cunningly --- Compensation? Sounds good, but I still think it's not that simple --- Honestly, hot wallets should be used for small amounts; who would dare store large sums there? --- I've said it before, self-custody wallets are your own responsibility; hackers can still wipe you out --- Hundreds of wallets emptied in just a few hours, how efficient is that? --- Cold wallets are really reliable, I'm starting to understand this phrase more and more --- Are supply chain vulnerabilities easy to patch? Feels like this lesson is quite profound this time

View OriginalReply0

IfIWereOnChain

· 4h ago

$7 million just gone, truly incredible --- It's the browser wallet's fault again. I’ve been saying not to put large amounts in hot wallets --- PostHog clone? Hackers are really ruthless --- Exchange compensation is acceptable, otherwise this would be a complete dead end --- Still using seed phrases to import into browsers? That’s just asking for trouble --- Hardware wallets are never outdated. Repeatedly getting hammered teaches you to be smart --- Now it’s all good, but I have to worry about my Trust Wallet version again --- Supply chain attacks are the most terrifying, the kind that are hard to defend against --- Why must you use browser extensions? I really can't understand --- Clearing hundreds of wallets in a few hours—such efficiency is unbelievable

View OriginalReply0

YieldFarmRefugee

· 5h ago

$7,000,000 gone, oh my, is this still Web3? --- It's a browser wallet again. Bro, don't tell me you're still using this to store your money. --- PostHog is pretty good at disguising itself. Who can tell? So exhausting. --- Full compensation? The exchange's move this time is pretty good. At least it didn't end in a disaster. --- Self-protection, self-protection. Sounds good, but you still have to be careful yourself. --- Isn't cold storage better? Why risk putting large amounts of money into hot wallets? --- I just want to ask those brothers whose funds were emptied, didn't they check their version numbers regularly? --- Supply chain attacks are hard to defend against. It seems anyone could have a mishap. --- If the exchange doesn't compensate, the community will probably blow up. --- Browser extension permissions are so broad, they really need to be regulated.

View OriginalReply0

RetiredMiner

· 5h ago

700 million dollars gone, Trust Wallet really went all out this time --- Here we go again with the supply chain tricks, really insidious --- No wonder I’ve always said hot wallets shouldn’t store your money, now it’s clear --- Full compensation? Just hear it out, it’ll be another round of excuses and disputes --- PostHog is so convincingly fake, is the audit team just a decoration? --- That’s why all my large positions are stored in hardware wallets --- Clearing hundreds of wallets in a few hours, hackers’ efficiency is truly impressive --- Browser plugins are inherently a ticking time bomb --- Here we go again, can’t learn in this circle, everyone --- Importing seed words into a soft wallet is like giving the house key to hackers --- Cold wallets are the way to go, hot wallets are always a gamble --- So self-custody isn’t that great after all, you still have to protect yourself --- Trust Wallet’s reputation took a hit this time --- The principle of “use only what you need” should have been ingrained in everyone’s mind long ago --- Another bloody lesson, I don’t know when this circle will finally settle down

View OriginalReply0