top of page
Search

Trust Wallet Chrome Extension Hack Drains $8.5M in Shai-Hulud Supply Chain Attack

  • Dec 31, 2025
  • 2 min read

Key Findings


  • The second iteration of the Shai-Hulud (aka Sha1-Hulud) supply chain attack in November 2025 was likely responsible for the hack of Trust Wallet's Google Chrome extension.

  • The attack resulted in the theft of approximately $8.5 million in cryptocurrency assets from 2,520 wallet addresses.

  • The attacker obtained full access to the Chrome Web Store (CWS) API key, allowing them to upload a trojanized version of the extension with a backdoor capable of harvesting users' wallet mnemonic phrases.

  • The malicious update (version 2.68) was pushed to the browser's extension marketplace on December 24, 2025, and the first wallet-draining activity was publicly reported a day later.

  • Trust Wallet has initiated a reimbursement claim process for impacted victims and implemented additional monitoring and controls to prevent such breaches in the future.


Background


The Shai-Hulud supply chain attack was an industry-wide incident that affected companies across multiple sectors, including the cryptocurrency industry. It involved the introduction of malicious code through commonly-used developer tooling, allowing attackers to gain access through trusted software dependencies rather than directly targeting individual organizations.


Attacker Tactics


  • The attackers leveraged the Shai-Hulud supply chain attack to gain access to Trust Wallet's GitHub secrets, including the Chrome Web Store API key.

  • Using the API key, the attackers were able to bypass Trust Wallet's standard release process and push a trojanized version of the extension (version 2.68) to the Chrome Web Store.

  • The backdoored extension was designed to harvest users' wallet mnemonic phrases, which were then used to drain the targeted wallets.

  • The attackers registered the domain "metrics-trustwallet[.]com" and hosted the malicious infrastructure on the subdomain "api.metrics-trustwallet[.]com".


Impact and Response


  • The attack resulted in the theft of approximately $8.5 million in cryptocurrency assets from 2,520 wallet addresses.

  • Trust Wallet has initiated a reimbursement claim process for impacted victims and is handling the claims on a case-by-case basis.

  • To prevent such breaches in the future, Trust Wallet has implemented additional monitoring and controls related to its release processes.


Ongoing Threat


  • The Shai-Hulud supply chain attack has evolved, with the emergence of Shai-Hulud 3.0, which features increased obfuscation and reliability improvements.

  • The primary focus of Shai-Hulud 3.0 remains on stealing secrets from developer machines, with a strong emphasis on string obfuscation, error handling, and Windows compatibility.

  • The industry-wide impact of the Shai-Hulud supply chain attack underscores the need for heightened security measures and vigilance in the software supply chain.


Sources


  • https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html

  • https://securityonline.info/the-christmas-heist-how-shai-hulud-hijacked-trust-wallet-for-an-8-5m-score/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page