Close Menu

Trust Wallet Chrome Extension Hack: $8.5M Stolen in Supply Chain Breach

Staff WriterBy No Comments2 Mins Read0 Views

Top Highlights

  1. Incident Overview: Trust Wallet announced that a security breach tied to the Shai-Hulud supply chain attack led to the theft of $8.5 million in cryptocurrency assets via a compromised Google Chrome extension.

  2. Attack Methodology: The attacker exploited exposed GitHub secrets to gain full access to the Chrome Web Store API, allowing a malicious extension update that harvested users’ wallet information.

  3. User Impact: Approximately 2,520 wallet addresses were affected, prompting Trust Wallet to implement a reimbursement process for victims while enhancing monitoring controls to prevent future breaches.

  4. Industry Implications: The Shai-Hulud attack, affecting multiple sectors, highlights the danger of supply chain vulnerabilities, as attackers utilized trusted software dependencies to infiltrate systems.

Trust Wallet Explains the $8.5 Million Hack

Trust Wallet confirmed that a recent hack drained approximately $8.5 million from its Google Chrome extension. The company attributes this breach to the second series of a supply chain attack known as Shai-Hulud. In November 2025, attackers exposed developer secrets on GitHub, granting unauthorized access to the extension’s source code. They exploited this vulnerability to obtain the Chrome Web Store API key, bypassing Trust Wallet’s usual release procedures.

Subsequently, the attackers created a malicious domain, “metrics-trustwallet[.]com,” and pushed out a trojanized version of the extension. This fake update included a backdoor that harvested users’ wallet mnemonic phrases. Trust Wallet had urged around one million users to update to version 2.69 shortly after the malicious update appeared. Unfortunately, by then, over 2,520 wallets had already been compromised.

Response and Future Safeguards

In response to the attack, Trust Wallet has initiated a reimbursement claim process for those affected. The company emphasizes its commitment to reviewing claims on a case-by-case basis to distinguish between genuine victims and malicious actors. It acknowledges that reimbursement processing times may vary as the team conducts thorough reviews.

To bolster security, Trust Wallet has implemented enhanced monitoring and control measures for its release processes. The Shai-Hulud attack serves as a stark reminder of vulnerabilities that can exist in trusted software dependencies. As the technology landscape evolves, so do the methods employed by cybercriminals. Trust Wallet aims to stay ahead of these threats, focusing on robust security to protect user assets in the future.

Continue Your Tech Journey

Explore the future of technology with our detailed insights on Artificial Intelligence.

Discover archived knowledge and digital history on the Internet Archive.

DataProtection-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Comments are closed.