Digital Heist Unveiled: Trust Wallet’s $8.5 Million Chrome Extension Breach
In a stark reminder of the persistent threats lurking within the digital landscape, Trust Wallet has disclosed a significant security breach impacting its Google Chrome extension. The incident, attributed to the second iteration of the sophisticated Shai-Hulud (also known as Sha1-Hulud) supply chain attack, resulted in the theft of approximately $8.5 million in cryptocurrency assets.
The Anatomy of a Sophisticated Supply Chain Attack
The intricate attack, which unfolded in November 2025, leveraged a critical vulnerability: the exposure of Trust Wallet’s Developer GitHub secrets. This breach granted the attackers unauthorized access to the browser extension’s source code and, crucially, the Chrome Web Store (CWS) API key. With full CWS API access, the threat actors bypassed Trust Wallet’s standard release protocols, which typically mandate internal approval and manual review, allowing them to directly upload malicious builds.
Subsequently, the attackers registered the domain “metrics-trustwallet[.]com” and deployed a trojanized version of the extension (version 2.68) containing a backdoor. This insidious malware was designed to harvest users’ sensitive wallet mnemonic phrases, transmitting them to the sub-domain “api.metrics-trustwallet[.]com.”
The Timeline of Compromise and Financial Fallout
The malicious update was pushed to the Chrome Web Store on December 24, 2025. Within days, the devastating impact became apparent, with the first wallet-draining activities publicly reported shortly after. A staggering $8.5 million in cryptocurrency was siphoned from 2,520 distinct wallet addresses, ultimately consolidating into no less than 17 wallet addresses under the attacker’s control. Trust Wallet promptly urged its approximately one million Chrome extension users to update to a secure version (2.69) to mitigate further risks.
Trust Wallet’s Response and Future Safeguards
In the wake of the breach, Trust Wallet has initiated a comprehensive reimbursement claim process for all affected victims. The company emphasizes that reviews are ongoing and handled meticulously on a case-by-case basis. This careful approach is necessary to accurately distinguish legitimate victims from potential bad actors and to safeguard against fraudulent claims, which may lead to varying processing times for each case.
To bolster its defenses and prevent future occurrences, Trust Wallet has implemented enhanced monitoring capabilities and stringent controls within its release processes. These measures aim to fortify the integrity of their software delivery pipeline.
Shai-Hulud: A Broader Threat to Digital Ecosystems
This incident underscores the pervasive danger of supply chain attacks like Shai-Hulud. Trust Wallet confirmed that “Sha1-Hulud was an industry-wide software supply chain attack that affected companies across multiple sectors, including but not limited to crypto.” These attacks introduce malicious code through commonly-used developer tooling, enabling attackers to gain access via trusted software dependencies rather than directly targeting individual organizations.
The disclosure also coincides with the emergence of Shai-Hulud 3.0, a more refined iteration featuring increased obfuscation and reliability improvements. Upwind researchers Guy Gilad and Moshe Hassan note that while it doesn’t introduce novel exploitation techniques, its focus on string obfuscation, error handling, and Windows compatibility is designed to enhance campaign longevity and continue its mission of stealing secrets from developer machines. This evolving threat highlights the critical need for robust cybersecurity practices across all industries.
For more details, visit our website.
Source: Link
