Trust Wallet has confirmed that its Chrome browser extension was compromised after attackers injected malicious code through a third-party dependency, exposing users to potential cryptocurrency theft and prompting the company to remove the extension from the Chrome Web Store.
The incident came to light after cybersecurity researchers identified suspicious behavior linked to the Trust Wallet Chrome extension, which is used to manage digital assets directly through the browser.
Trust Wallet announced on Tuesday that the recent Shai-Hulud (also known as Sha1-Hulud) supply chain outbreak from November 2025 likely led to the hacking of its Google Chrome extension, which ultimately resulted in the loss of around $8.5 million in assets. According to Trust Wallet, the “malicious update” had been distributed through a compromised library, allowing attackers to interfere with wallet operations without directly breaching Trust Wallet’s core infrastructure.
According to the company, the attack did not originate from its internal systems but instead exploited the software supply chain by targeting a dependency relied upon by the extension. Once the malicious code was introduced, it enabled unauthorized transaction manipulation and potential wallet draining for affected users. Trust Wallet said it immediately disabled the extension and advised users to uninstall it as a precaution.
“Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key,” the company said in a post-mortem published Tuesday. “The attacker obtained full CWS API access via the leaked key, allowing builds to be uploaded directly without Trust Wallet’s standard release process, which requires internal approval/manual review.”
Trust Wallet has disclosed new details about a major security breach affecting its Chrome browser extension, revealing how attackers deployed a trojanized update that ultimately led to millions of dollars in cryptocurrency losses.
According to the company and cybersecurity researchers, the attackers registered a malicious domain, “metrics-trustwallet[.]com,” and used it to distribute a compromised version of the Trust Wallet Chrome extension. The trojanized extension communicated with a backdoor hosted on a subdomain, “api.metrics-trustwallet[.]com,” which was designed to harvest users’ wallet mnemonic phrases, effectively giving attackers full control over affected wallets.
The disclosure follows Trust Wallet’s warning to nearly one million Chrome extension users earlier this month, urging them to immediately update to version 2.69 after a malicious update, version 2.68, was pushed to the Chrome Web Store on December 24, 2025. That update was published by unknown threat actors and remained available long enough to infect thousands of users before it was detected and removed.
Blockchain analysis shows that the breach resulted in approximately $8.5 million worth of cryptocurrency being drained from 2,520 wallet addresses. The stolen funds were consolidated into at least 17 wallet addresses controlled by the attackers. Public reports of wallet-draining activity began emerging just one day after the malicious update went live, signaling how quickly the exploit was weaponized.
Trust Wallet has since launched a reimbursement claim process for affected users. The company said reviews are being conducted on a case-by-case basis and cautioned that processing timelines may vary. Trust Wallet emphasized that additional verification steps are required to distinguish legitimate victims from potential bad actors and to prevent fraudulent claims.
In response to the incident, Trust Wallet said it has strengthened its internal release and monitoring processes to reduce the risk of similar attacks in the future. The company acknowledged that the breach was part of a broader software supply chain compromise rather than a direct intrusion into its core systems.
“This was an industry-wide software supply chain attack that affected companies across multiple sectors, including but not limited to crypto,” Trust Wallet said in a statement. “It involved malicious code being introduced and distributed through commonly used developer tooling, allowing attackers to gain access through trusted dependencies.”
The incident coincides with the emergence of a new iteration of the Shai-Hulud malware family, known as Shai-Hulud 3.0, which researchers say features improved obfuscation, error handling, and Windows compatibility. While the underlying attack techniques remain largely unchanged, analysts note that these refinements are intended to extend the malware’s lifespan and effectiveness.
Researchers from cybersecurity firm Upwind said the latest version remains “laser-focused on stealing secrets from developer machines,” highlighting the growing threat posed by supply chain attacks that exploit trusted software components rather than targeting end users directly.
The Trust Wallet breach adds to mounting concerns over the security of browser-based cryptocurrency wallets, which continue to be a prime target for attackers due to their reliance on third-party dependencies and frequent update cycles.
