Trust Wallet to cover $7M lost in Christmas hack, CZ says

Trust Wallet will fully reimburse approximately $7 million lost in a Christmas Day exploit, Binance co-founder Changpeng Zhao said Friday, as cybersecurity experts pointed to signs of potential insider involvement in the attack.

The pledge comes two days after Trust Wallet’s browser extension version 2.68 was compromised by malicious code that not only drained user funds but also exfiltrated personal information, according to blockchain security firm SlowMist.

Trust Wallet’s browser extension version 2.68 was compromised by a security incident impacting desktop users, the wallet said in a Thursday X post, advising users to upgrade to version 2.89.

Zhao, co-founder of Binance, which owns the cryptocurrency wallet that claims to serve 220 million users, said in a Friday X post that the lost funds will be covered.

Cryptocurrency wallet exploits have been an increasing threat to digital asset investors. Personal wallet compromises accounted for 37% of the value stolen in 2025, if the $1.4 billion Bybit hack in February is excluded, according to Chainalysis.

Still, the $7 million Trust Wallet exploit pales in comparison to some of the biggest wallet hacks. In February 2024, the co-founder of play-to-earn game Axie Infinity, Jeff Zirlin, lost $9.7 million worth of Ether to a suspected wallet exploit.

Security experts point to insider involvement

The orchestrators of the attack on Trust Wallet had been preparing the exploit as early as Dec. 8, wrote Yu Xian, co-founder of blockchain security firm SlowMist, in a Friday X post. A machine translation of his post read:

“The attacker started preparations at least on [Dec. 8], successfully implanted the backdoor on [Dec. 22], began transferring funds on [Christmas Day], and thus was discovered.”

The backdoor code was also collecting users’ personal information, which was sent to the attacker’s server.

According to onchain detective ZachXBT, hundreds of Trust Wallet users were affected.

Some industry watchers pointed to signs of potential insider activity from the exploit, as the attacker was able to submit a new version of the Trust Wallet extension on the website.

“This kind of ‘hack’ is not natural. The chances of insider is high,” intergovernmental blockchain adviser Anndy Lian wrote in a Friday X post.

Zhao agreed that the exploit was “most likely” an insider.

SlowMist’s Xian also noted that the attacker was “very familiar with the Trust Wallet extension’s source code,” which enabled them to implement the backdoor code necessary to collect sensitive user information.