Browser extensions now sit at the center of at least $713 million in personal wallet thefts in 2025. That figure comes from new Chainalysis crime data, which tallies more than $3.4 billion in total stolen crypto this year, and a fresh analysis by CryptoSlate that pins much of that damage on a long-ignored design flaw in browser wallets.
Chainalysis estimates that personal wallet compromises now account for 20% of all value stolen in 2025, or $713 million, after peaking at 44% in 2024. Without February’s $1.5 billion Bybit hack skewing the totals, that share would sit closer to 37%, according to its latest theft breakdown preview for the 2026 crime report published this month. The trend is clear. Attackers follow the keys into the browser.
The flaw: hot wallets inside a hostile app
The core problem is not one bug in one wallet. Browser extensions run as always-on hot wallets inside the same process as adware, random plugins, and malicious JavaScript. Auto-updates ship silently. Any extension with the right permissions can alter page content, inject scripts into dApps, or read data that other extensions store locally.
The December Trust Wallet incident shows how punishing that setup can be even when users follow every standard rule. Attackers slipped malicious code into version 2.68 of the Trust Wallet Chrome extension, which then exfiltrated mnemonics to a fake analytics endpoint, according to a SlowMist forensic report on the breach and a detailed write-up from The Hacker News. Blockchain security firms SlowMist and PeckShield tracked roughly $7 million drained across Bitcoin, Ethereum, Solana and EVM tokens as the backdoored build iterated through stored wallets, decrypted seeds with the user’s passphrase, and pushed them to api.metrics-trustwallet[.]com in their incident report.
“The attacker directly tampered with the application’s own code, then leveraged the legitimate PostHog analytics library as the data‑exfiltration channel, redirecting analytic traffic to an attacker‑controlled server,” SlowMist wrote.
Trust Wallet acknowledged “a security incident affecting Trust Wallet Browser Extension version 2.68 only” on X and urged users to disable it and upgrade to 2.69 via the official Chrome Web Store listing. Binance founder Changpeng Zhao later confirmed that the impact stood at around $7 million and pledged that Trust Wallet would cover user losses, as reported by Forbes. Trust Wallet Token (TWT) briefly slid from roughly $0.82 to $0.76 in the hours after the hack but recovered around the $0.82 area, according to market coverage from Coinspeaker and Bitget, while live data shows TWT trading near $0.85, up about 2% on the day.
This incident did not hijack the Chrome browser itself. The attacker compromised the wallet’s own extension update path. That nuance matters. It means users who never shared their seed phrase on a phishing site, never clicked a fake link, and kept software current still watched their wallets empty because the trusted extension turned hostile.
Malicious add-ons are no longer an edge case
The Trust Wallet backdoor landed on top of an already toxic extension market. Kaspersky warned as early as 2023 that it saw a two-fold rise in malicious browser extensions designed to perform web-inject attacks and steal cryptocurrency, describing how such add-ons can alter form fields and trick users into entering seeds or card data that legitimate sites never requested in an official advisory.
In July, Koi Security researchers uncovered more than 40 malicious Firefox extensions impersonating Coinbase, MetaMask, Trust Wallet, Phantom, Exodus and other wallets in Mozilla’s official store. The campaign cloned open-source wallet code, injected key-stealing logic, inflated review counts, and exfiltrated seeds and wallet keys to attacker servers, according to Koi’s findings reported by The Hacker News. These add-ons lived inside users’ browsers and bypassed traditional phishing filters entirely.
Chrome and Edge users faced similar abuse. Koi Security also linked a long-running “ShadyPanda” operation where attackers let more than 140 browser extensions run as normal for years before an update flipped them into infostealers. A December TechRadar investigation put the combined install base around 4.3 million devices and detailed how later updates added cookie theft, search hijacking and remote code execution to previously benign extensions.
Info-stealer malware now targets the same browser layer from the OS side. MetaMask’s March security bulletin flagged StilachiRAT, a remote access trojan that hunts for as many as 20 different Chrome wallet extensions, including MetaMask and Coinbase Wallet, by scraping stored credentials and private keys from extension data directories in its official report. New malware-as-a-service families like SantaStealer, covered by TechRadar, pull browser histories, cookies, wallet data and desktop screenshots, then exfiltrate everything in compressed chunks.
Why “best practices” did not save $713M
The industry has spent years telling users to guard seed phrases, verify URLs, and move savings to hardware. CryptoSlate’s piece argues that this guidance now misses where many attacks actually fire. The attack chain increasingly sits above the key. In the browser, in the extension, or in the dApp code that renders signing prompts.
On EVM chains, drainer kits lean on blind signing. Users see opaque hex blobs in their wallet UI, tap “Confirm,” and unknowingly grant unlimited token approvals to attacker contracts. CryptoSlate notes that browser wallets optimize for speed here, not readability, and that “the user technically approves every step, yet has no idea what is being signed.” Once a malicious extension or poisoned dApp injects a draining transaction, the blockchain executes exactly as designed.
Even hardware users do not fully escape when the browser layer breaks. Ledger’s own postmortem on the December 2023 Ledger Connect Kit exploit confirms that a phished NPM account let an attacker push a malicious version of the JavaScript library that many dApps used to talk to Ledger wallets. That code then tricked users into signing draining transactions through legitimate dApp frontends, even though the private keys never left the devices according to Ledger’s incident report.
The institutional read: browser risk is now a core variable
Chainalysis tracks at least 158,000 personal wallet compromise incidents affecting about 80,000 unique victims in 2025, nearly triple the 2022 case count, even as total value stolen from individuals fell from $1.5 billion in 2024 to $713 million this year. Its researchers attribute the shift partly to better defenses at centralized services and partly to easier mass exploitation of individuals through tools like drainer kits, malicious extensions, and info-stealers in the same report.
CryptoSlate’s own synthesis layers on that on-chain picture. It estimates that more than 20% of this year’s major exploits touched the browser, extension, or dApp integration layer rather than the base chain. The article also cites empirical comparisons showing incident rates below 5% for models that combine hardware, air-gapped signing and transaction alerts, compared with more than 15% for pure software wallets.
For traders and builders, the message is blunt. Self-custody risk now hinges as much on Chrome and Firefox extension pipelines, JavaScript supply chains, and endpoint hygiene as it does on seed storage. The $713 million in personal wallet losses that Chainalysis attributes to 2025 thefts are not an education gap. They are the cost of running hot wallets inside a browser that treats a DeFi front end, a meme coin drainer kit, and a compromised “analytics” script as peers.
