Trust Wallet Breach Linked to Shai-Hulud Supply Chain Attack, $8.5M Lost

In a post-mortem released this week, Trust Wallet revealed that a supply chain attack, traced back to the infamous Shai-Hulud outbreak, was the culprit behind the December 2025 hack of its Google Chrome extension. The breach resulted in a staggering $8.5 million loss for users.

So, what went wrong? According to Trust Wallet, the attacker managed to snag their Developer GitHub secrets. This essentially handed them the keys to the kingdom, granting access to the browser extension's source code and, crucially, the Chrome Web Store (CWS) API key.

"Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key," Trust Wallet explained in their Tuesday statement. "The attacker obtained full CWS API access via the leaked key, allowing builds to be uploaded directly without Trust Wallet's standard release process, which requires internal approval/manual review."

Essentially, the attacker bypassed Trust Wallet's security protocols.

How the Attack Unfolded

Here's the breakdown: the attacker registered a domain, "metrics-trustwallet[.]com," and used it to host a malicious version of the extension. This trojanized version contained a backdoor designed to steal users' wallet mnemonic phrases – the keys to their crypto kingdom. This data was then funneled to the subdomain "api.metrics-trustwallet[.]com."

This disclosure follows Trust Wallet's earlier urgent call for its million-plus Chrome extension users to update to version 2.69. This was a direct response to the malicious update (version 2.68) that had been slipped into the Chrome Web Store on December 24, 2025.

The attack impacted 2,520 wallet addresses, resulting in the theft of $8.5 million in crypto assets. These funds were then moved to at least 17 wallets controlled by the perpetrator. The first reports of wallet draining surfaced just a day after the malicious update went live.

Trust Wallet Responds: Reimbursements and New Security Measures

Trust Wallet has initiated a reimbursement process for affected users, reviewing claims on a case-by-case basis. They've cautioned that processing times may vary due to the need to distinguish genuine victims from potential fraudsters.

To prevent future incidents, Trust Wallet has implemented enhanced monitoring and controls around its release processes.

The Bigger Picture: Shai-Hulud and Supply Chain Risks

"Sha1-Hulud was an industry-wide software supply chain attack that affected companies across multiple sectors, including but not limited to crypto," Trust Wallet stated. "It involved malicious code being introduced and distributed through commonly-used developer tooling. This allowed attackers to gain access through trusted software dependencies rather than directly targeting individual organizations."

This incident highlights the growing threat of supply chain attacks, where vulnerabilities in commonly used tools and dependencies can be exploited to target numerous organizations simultaneously.

Adding to the concern, security researchers have recently identified a new iteration, Shai-Hulud 3.0, sporting increased obfuscation and improved reliability while maintaining its focus on stealing secrets from developer machines.

According to Upwind researchers Guy Gilad and Moshe Hassan, "The primary difference lies in string obfuscation, error handling, and Windows compatibility, all aimed at increasing campaign longevity rather than introducing novel exploitation techniques," they said.