TRUST WALLET ANNOUNCED THAT UNKNOWN HACKERS BREACHED ITS CHROME EXTENSION, DECRYPTING PASSWORDS, AND CYBERTHREAT ACTORS EXPLOITED A MONGODB VULNERABILITY TO EXTRACT SENSITIVE DATA

December 25-31, 2025 | Issue 50 - CICYBER Team

Nimaya Premachandra, Matan Lieberman, Victoria Kotey, Lucy Gibson, Agathe Labadi, CICYBER

Elena Alice Rossetti, Senior Editor

Personally Identifiable Information Breach^[1]

Date: December 26, 2025

Location: San Francisco, California, US

Parties involved: Cryptocurrency platform Trust Wallet; cryptocurrency exchange platform Binance; human resources (HR); employees; employees working on the Chrome extension; developers; centralized cryptocurrency exchanges (CEXs); cryptocurrency wallet companies; unknown hackers; cyberthreat actors; insider attacker; sophisticated cybersecurity platforms; cybersecurity platform TRM Labs; cybersecurity platform Elliptic; states mandating the attack; Russia; China

The event: Trust Wallet announced that unknown hackers breached its version 2.68 Chrome Extension, decrypting wallet passwords and stealing seven million dollars.^[2]

Analysis & Implications:

• Trust Wallet will almost certainly investigate the possibility of an insider attacker contributing to the hack by providing technical support. Trust Wallet and Binance will very likely launch an internal investigation into employees who traveled to suspicious locations, such as Russia and China, in early December or who lost company devices in recent months, to uncover if employees provided technical information to cyberthreat actors. HR will very likely conduct more extensive background checks of employees working on the Chrome extension who are capable of injecting malicious code, very likely to discover if these employees might have affiliations with cyberthreat actors or states mandating the attack. For employees working on the Chrome extension, Trust Wallet will very likely implement further compartmentalized security barriers and pursue the principle of least privilege, very likely restricting which developers have access to proprietary source code.

• The theft will very likely motivate cryptocurrency wallet companies to strengthen cross-platform collaboration to improve compromise detection. These companies will very likely improve automated, quick-reaction on-chain security mechanisms to respond to thefts, very likely increasing investment in machine learning (ML) tools to detect wallet-draining commands. To transmit information on potentially suspicious transactions, these companies will very likely enhance communication infrastructure with CEXs, such as developing a standardized alert system, likely improving asset tracing in the early stages of an attack. CEXs will likely implement strict personal identification mechanisms for crypto asset swaps, in coordination with sophisticated cybersecurity platforms, such as TRM Labs and Elliptic, to identify known malicious addresses and cyberthreat actors’ tags.

Date: December 28, 2025

Location: New York City, New York, US

Parties involved: cross-platform database software MongoDB; MongoDB users; occasional users; users and employees with access to vulnerable servers; organizations with extensive and heavily regulated software; finance and healthcare companies using MongoDB; small companies; companies not using IP scanning and Indicators of Compromise (IoC) tools; offshore tech companies catering to Google, Amazon Web Services (AWS), and Cisco; industry-standard data compression tools Zstandard and Snappy; cyberthreat actors; threat actors; attackers

The event: Cyberthreat actors are exploiting a MongoDB vulnerability, exposing servers on the public web to extract sensitive data.^[3]

Analysis & Implications:

• Threat actors will very likely continue to exploit the vulnerability in unpatched devices, as thousands of MongoDB users will very likely not install the recommended patch. Occasional users and small companies will almost certainly fall behind on cybersecurity best practices and likely remain unaware of the compromise. Threat actors will very likely maintain presence in these MongoDB users’ networks, especially in companies not using IP scanning and IoC tools, very likely continuing to read plain text passwords and perform privilege escalation. As public awareness of the patch increases, threat actors will very likely shift their focus to small companies that have access to high-value information, such as offshore tech companies catering to Google, AWS, and Cisco.

• Organizations with extensive and heavily regulated software will very likely prefer sweeping, network-wide security measures to patching vulnerabilities to counter attackers. Finance and healthcare companies using MongoDB will likely adopt open-source scanning tools, such as the MongoBleed Detector, to identify vulnerable servers, likely updating and reinforcing firewall protection of vulnerable servers storing sensitive information or personal credentials. To protect personally identifiable information (PII) and network logs, such companies will very likely expand credential-rotating protocols, very likely requiring users and employees with access to vulnerable servers to continuously update their information. In the short term, such companies will likely experience difficulties updating servers and implementing patches, very likely opting to disable MongoDB’s zlib compression tool and pivot to industry-standard ones, such as Zstandard or Snappy.

[1] Internet Security, generated by a third party image database (created by AI)

[2] Trust Wallet Chrome Extension Breach Caused $7 Million Crypto Loss via Malicious Code, The Hacker News, December 2025, https://thehackernews.com/2025/12/trust-wallet-chrome-extension-bug.html 

[3] Exploited MongoBleed flaw leaks MongoDB secrets, 87K servers exposed, Bleeping Computer, December 2025, https://www.bleepingcomputer.com/news/security/exploited-mongobleed-flaw-leaks-mongodb-secrets-87k-servers-exposed/