Plugin Wallet Security Incident Overview: Plagued by Counterfeit Software and Phishing Attacks, Direct Official Vulnerabilities Are Few

December 26th — Trust Wallet issued a security alert this morning confirming a vulnerability in its browser extension (version 2.68). On-chain detective ZachXBT reports hundreds of users have already had funds stolen, with total losses hitting at least $6 million. Below are key security incidents involving major browser extension wallets: ### Trust Wallet (2022) Back in November 2022, Trust Wallet’s extension had a WebAssembly vulnerability affecting only new addresses created between Nov 14–23, 2022. The flaw led to ~$170k in stolen funds. Trust Wallet found the issue via its bug bounty program, patched it, and fully compensated affected users. ### MetaMask - **2022**: Faced a “Demonic” vulnerability (versions before 10.11.3) that exposed private keys in browser memory — no large-scale losses reported. - **2023–2025**: Official extension operated securely, but it’s often targeted by fake versions. A 2025 Chainalysis report noted a spike in abnormal thefts, driven mostly by counterfeit malware and phishing (not the wallet itself). - **Current**: MetaMask publishes monthly security reports on this, but as a top Ethereum plugin wallet, it remains a key counterfeit target. ### Phantom (Solana’s main wallet) - **2022**: Also had the “Demonic” vulnerability — no major losses reported. - **Early 2025**: A controversy arose after a user lost $500k when private keys were stored unencrypted in memory (leading to a hack). A class-action lawsuit was filed in the Southern District of New York. Phantom’s team denied all claims, calling the lawsuit “baseless” and noting Phantom is non-custodial (users bear fund security responsibility). ### Rabby Wallet (DeFi-focused) - **2022**: Hacked via a flaw in its Rabby Swap feature, leading to ~$200k in stolen crypto. The issue wasn’t with the extension itself, but the built-in swap tool. ### Key Takeaway The most common way extension wallets get compromised is via fake downloads. In 2025, multiple such incidents hit the Firefox store, targeting major wallets like MetaMask, Phantom, and Trust Wallet. Direct official vulnerabilities are far rarer. **Advice**: Only download extension wallets from the official Chrome Web Store to protect your funds.