Trust Wallet has linked a second Shai-Hulud supply-chain attack to a hack on its Chrome extension, resulting in the theft of about $8.5 million in cryptocurrency. The incident involved a malicious version of the extension that exfiltrated users' sensitive wallet data. The company rolled back the compromised software and committed to reimbursing affected users.
Trust Wallet, a popular cryptocurrency wallet, disclosed details of a second supply-chain attack tied to the Shai-Hulud incident, confirming that hackers stole approximately $8.5 million in crypto assets through a compromised Chrome extension.
The breach traces back to a November 2025 supply-chain attack, where the company's developer GitHub secrets were exposed. This leak provided attackers with access to the browser extension's source code and a Chrome Web Store API key. Using these, the hackers bypassed internal release controls and published a tampered version, 2.68, on December 24, 2025. The malicious extension included code hosted on the domain metrics-trustwallet.com, designed to collect users' sensitive wallet data without traditional code injection.
As detailed in Trust Wallet's report, “The attacker registered domain metrics-trustwallet.com (and sub-domain api.metrics-trustwallet.com) with the intention of hosting malicious code and embedding a reference to that code in their malicious deployment of the Trust Wallet Browser Extension.” The code activated on every wallet unlock, iterating through all configured wallets and embedding seed phrases in disguised telemetry data sent to the attacker's server.
Cybersecurity firm Koi analyzed the malware, noting that it exfiltrated data regardless of authentication method. The domain resolved to IP address 138.124.70.40, hosted by Stark Industries Solutions, a bulletproof provider linked to Russian cyber operations. Queries to the server returned a Dune quote, referencing the original Shai-Hulud npm incident.
Wallet-draining activity surfaced on December 25, 2025, prompting swift response. Researchers 0xAkinator and ZachXBT tracked attacker wallets, while Trust Wallet issued alerts, rolled back to a clean version 2.67 (released as 2.69), and mitigated DDoS attempts. “On December 25th, the first wallet-draining activity was publicly reported,” the report states. The company prioritized a silent update for safety, then guided users to upgrade and warned those on version 2.68 (December 24–26) to move funds.
Trust Wallet disabled unauthorized publishing access, coordinated with blockchain analytics firms to trace stolen funds, and pledged reimbursements. A verification tool is planned for version 2.70, with ongoing investigations to strengthen security.
