Trust Wallet is investigating a significant security breach impacting its Google Chrome extension, revealed to have resulted in the theft of approximately $8.5 million in cryptocurrency assets due to a sophisticated supply chain attack. The hack, linked to the second iteration of the Shai-Hulud malware campaign in November 2025, compromised the company’s developer GitHub secrets, granting attackers unauthorized access to critical source code and the Chrome Web Store API key.
This breach allowed threat actors to bypass Trust Wallet’s standard release protocols, enabling them to upload a malicious version of the extension directly to the Chrome Web Store. The compromised extension, version 2.68, was pushed on December 24, 2025, prompting Trust Wallet to urge nearly one million users to update to version 2.69. The attack ultimately led to the draining of funds from 2,520 wallet addresses, with assets transferred to at least 17 attacker-controlled wallets.
Trust Wallet Investigates Shai-Hulud Supply Chain Attack
In a post-mortem analysis released on Tuesday, Trust Wallet detailed how the compromise of its developer GitHub secrets was central to the attack. This exposure provided the attackers with the necessary credentials to access the company’s browser extension source code and, crucially, the Chrome Web Store (CWS) API key. With full CWS API access, the threat actors could circumvent Trust Wallet’s internal approval and manual review processes for new releases, uploading their trojanized version undetected.
Following the unauthorized access, the attackers reportedly registered a domain, “metrics-trustwallet[.]com,” and sub-domain “api.metrics-trustwallet[.]com.” It was through this compromised infrastructure that they distributed a trojanized version of the Trust Wallet Chrome extension. This malicious iteration contained a backdoor designed to harvest users’ wallet mnemonic phrases, the sensitive recovery keys that grant full control over cryptocurrency holdings.
Impact and User Advisory
The security incident came to light days after Trust Wallet issued an urgent advisory, recommending that all users of its Chrome extension upgrade to version 2.69. The prior version, 2.68, known to be malicious, was distributed by unknown threat actors to the browser’s extension marketplace on December 24, 2025. The subsequent financial losses, totaling $8.5 million, were publicly reported the day after the malicious update’s activation.
Trust Wallet has since initiated a reimbursement process for affected users. The company stated that claims are being reviewed on a case-by-case basis, with processing times varying due to the need to differentiate between genuine victims and potential fraudulent actors. This meticulous approach aims to prevent further fraud while ensuring legitimate losses are addressed.
Preventative Measures and Industry Context
In response to the breach, Trust Wallet has implemented enhanced monitoring capabilities and strengthened controls within its software release procedures. The company emphasized that the Shai-Hulud campaign represents a broader, industry-wide threat, having impacted companies across various sectors, not exclusively the cryptocurrency space.
The Shai-Hulud attack is characterized by the introduction of malicious code into commonly used developer tools. This strategy allows attackers to leverage trusted software dependencies as an entry point, bypassing direct organizational defenses. Researchers have noted the emergence of Shai-Hulud 3.0, boasting improved obfuscation and reliability, while maintaining its focus on exfiltrating secrets from developer environments.
The continued evolution of sophisticated malware like Shai-Hulud highlights the persistent challenges in software supply chain security. As threat actors refine their techniques, organizations must remain vigilant in reinforcing their development pipelines and security protocols to safeguard against advanced cyber threats.