Trust Wallet confirms second Shai-Hulud supply-chain attack, $8.5M in crypto stolen

Trust Wallet says a second Shai-Hulud supply-chain attack likely compromised its Chrome extension, leading to the theft of about $8.5M in crypto.

Trust Wallet linked a second Shai-Hulud supply-chain attack to its Chrome extension hack, which resulted in the theft of about $8.5 million in crypto assets.

The investigation reveals that the attacker independently developed and published a malicious Trust Wallet extension (v2.68) using a leaked Chrome Web Store API key, likely tied to the November SHA-1 Hulud supply-chain incident, which enabled the theft of sensitive wallet data.

Following the November 2025 Sha1-Hulud supply-chain attack, Trust Wallet’s developer GitHub secrets were exposed, granting attackers access to the browser extension source code and the Chrome Web Store (CWS) API key. This allowed them to bypass internal release controls and upload builds directly. In December, the attacker registered a malicious domain, prepared a tampered extension using the stolen source code, and published version 2.68 via the leaked CWS key, which was auto-released after store review.

“The attacker registered domain metrics-trustwallet.com (and sub-domain api.metrics-trustwallet.com) with the intention of hosting malicious code and embedding a reference to that code in their malicious deployment of the Trust Wallet Browser Extension.” reads the report published by Trust wallet

“The attacker externally prepared and uploaded a tampered version of the browser extension, using the codebase of an earlier version that they had accessed through exposed developer GitHub secrets. This included the reference to the malicious code hosted on the attacker’s web domain, designed to collect users’ sensitive wallet data. This was achieved without a traditional code injection, as the attacker had direct access to the extension’s source code.”

On December 25, wallet-draining activity was reported, prompting alerts, tracking of attacker wallets, DDoS mitigation by white hats, rollback to a clean version, user warnings, and a reimbursement process.

“On December 25th, the first wallet-draining activity was publicly reported. 0xAkinator and ZachXBT flagged the issues and actively identified and tracked the attacker’s wallet addresses, while partner Hashdit and internal systems notified us with multiple suspicious alerts.” continues the report. “We rolled back to verified clean version 2.67, released as 2.69, and published urgent instructions to upgrade to the latest version to mitigate further losses. Trust Wallet has since strengthened security controls while investigations continue.”

Cybersecurity firm Koi revealed that malicious code embedded in Trust Wallet extension v2.68 activates on every unlock, not only during seed phrase import. This allowed attackers to exfiltrate sensitive data regardless of whether users authenticated via password or biometrics, and even if the wallet was opened only once after the update.

The code iterated through all wallets in an account, compromising every configured wallet. Seed phrases were covertly embedded in an “errorMessage” field disguised as routine unlock telemetry, making the activity hard to spot in casual reviews. Data was sent to metrics-trustwallet[.]com, resolving to an IP hosted by Stark Industries Solutions, a bulletproof hosting provider with links to Russian cyber operations.

“The exfiltration domain metrics-trustwallet.com resolved to IP address 138.124.70.40, running nginx/1.24.0 on Ubuntu. The IP is hosted on Stark Industries Solutions (AS44477), a bulletproof hosting provider based in Ukraine that has previously been associated with cybercriminal infrastructure.” reads the report published by cybersecurity firm Koi. “Port 5000 on the same server exposes a Synology DiskStation (DSM 6.2) login page – suggesting the attacker is using a NAS device, either their own or compromised, as exfiltration infrastructure.”

Direct server queries returned a Dune quote, echoing references seen in the Shai-Hulud npm incident.

After confirming the incident, the Trust Wallet team rolled back the compromised TW Browser Extension and released a clean version 2.69, disabling publishing access, API credentials, and restricting deployments. They coordinated with blockchain analytics partners to track stolen funds, prioritized a silent secure update before public disclosure, issued guidance, and committed to reimbursing affected users. Users of v2.68 (Dec 24–26, 2025) were warned to move funds. A verification tool will ship in v2.70. Trust Wallet acknowledged the likely supply-chain nature of the attack and pledged ongoing updates.

“To protect users from confusion or unsafe behaviors, we prioritized replacing the vulnerable browser extension with a safe version before making a public announcement. So affected users could update securely while minimizing their potential exposure to the hack and lost funds. Once the secure version v2.69 was available, we promptly issued guidance and warnings around the incident.” concludes the report. “And soon after, we decided to reimburse the affected users and began planning the reimbursement process for affected users.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)