Plugin Wallet Security Incident Overview: Plagued by Fake Software and Phishing Attacks, Fewer Direct Official Vulnerabilities

BlockBeats News, December 26, this morning, Trust Wallet, the largest non-custodial cryptocurrency wallet in terms of user base, officially issued a security alert, confirming a security vulnerability in browser extension version 2.68. On-chain detective ZachXBT disclosed that hundreds of Trust Wallet users have had their funds stolen, with losses totaling at least $6 million. Trust Wallet has been downloaded over 2 billion times, with approximately 17 million monthly active users, holding about 35% of the market share, making this security incident widespread. A summary of security incidents encountered by several mainstream browser extensions is as follows:

Trust Wallet's browser extension was previously found to have a WebAssembly vulnerability in November 2022, affecting only new wallet addresses created between November 14 and 23, 2022. Approximately $170,000 was stolen. Trust Wallet identified the issue through a bug bounty program, fixed the vulnerability, and fully compensated the affected users.

MetaMask experienced a "Demonic" vulnerability in 2022, affecting older versions before 10.11.3, where private keys could be exposed in the browser's memory. However, there were no known large-scale fund losses. Subsequently, from 2023 to 2025, the MetaMask official wallet extension operated securely. Still, it was frequently affected by malicious counterfeit extensions. A Chainalysis report showed a significant increase in MetaMask user abnormal theft incidents in 2025, mainly due to counterfeit malware and phishing rather than the security of the plugin wallet itself. MetaMask now releases monthly security reports on this matter. Despite being a popular Ethereum plugin wallet, it remains a primary target for counterfeiting.

Phantom (Solana's main wallet extension) was also affected by the "Demonic" vulnerability in 2022, with no known large-scale fund losses. In early 2025, a security controversy involving the Phantom wallet extension emerged when a user lost $500,000. This was attributed to the private key being stored unencrypted in the memory by Phantom, leading to a hacker attack and resulting in a class-action lawsuit filed in the Southern District Court of New York. Phantom's official statement strongly denied all charges, stating that the lawsuit was "baseless" and emphasizing that Phantom is a non-custodial wallet, with the user bearing the responsibility for fund security.

Rabby Wallet (DeFi-friendly extension) experienced a hack in 2022 due to the Rabby Swap vulnerability, leading to the theft of approximately $200,000 in crypto assets. The vulnerability did not originate from the extension itself but from the built-in Swap functionality.

The most common way for a browser extension wallet to be compromised is through fake app downloads. In 2025, the Firefox store experienced multiple such incidents, affecting popular crypto extension wallets like MetaMask, Phantom, and Trust Wallet. Surprisingly, official vulnerabilities in the extensions themselves have been rare. It is recommended that users only download these extensions from the official Chrome Web Store to ensure the security of their funds.