Trust Wallet links $8.5M Chrome extension hack to Shai-Hulud supply chain attack

Trust Wallet has disclosed that a major security breach affecting its Google Chrome browser extension was the result of a broader software supply chain attack linked to the second wave of the Shai-Hulud, also known as Sha1-Hulud, campaign observed in November 2025. The incident ultimately led to the theft of approximately $8.5 million in cryptocurrency assets.

In a post-mortem released on Tuesday, the company confirmed that developer secrets stored in its GitHub environment were exposed during the attack. According to Trust Wallet, the leaked credentials gave the attacker access to the browser extension’s source code as well as the Chrome Web Store API key. With full API access, the attacker was able to upload malicious builds directly to the Chrome Web Store, bypassing Trust Wallet’s internal release process, which normally requires manual approval and review.

Using this access, the attacker registered the domain metrics-trustwallet[.]com and distributed a trojanized version of the extension that included a hidden backdoor. The malicious code exfiltrated users’ wallet recovery phrases by sending them to the subdomain api.metrics-trustwallet[.]com, effectively compromising affected wallets at the point of unlock.

Security firm Koi, which analyzed the malicious extension, reported that the backdoor activated every time the wallet was unlocked, not only during seed phrase imports. This meant sensitive data could be stolen regardless of whether users authenticated with a password or biometrics, and even if the wallet had only been opened once after the update to version 2.68. The researchers added that the malware iterated through all wallets configured in the extension, not just the active one, resulting in total compromise for users with multiple wallets.

To evade detection, the stolen seed phrases were embedded in what appeared to be routine telemetry data. The data was placed in a field named errorMessage, making the traffic resemble standard analytics events tracking unlock success. According to Koi researchers Oren Yomtov and Yuval Ronen, a casual code review would likely miss the malicious behavior.

Infrastructure analysis showed that metrics-trustwallet[.]com resolved to the IP address 138.124.70.40, hosted by Stark Industries Solutions, a hosting provider with a history of being associated with cybercriminal and state-aligned activity. Investigators also noted that directly querying the server returned the message “He who controls the spice controls the universe,” a reference to Dune that mirrors motifs seen in earlier Shai-Hulud-related incidents.

Further evidence suggested the attack was carefully planned. HTTP headers indicated the malicious infrastructure was staged by December 8, more than two weeks before the poisoned extension update was pushed on December 24, 2025. The first public reports of wallet-draining activity surfaced the following day.

In total, funds were siphoned from 2,520 wallet addresses into at least 17 attacker-controlled wallets. Trust Wallet has since urged users to update to version 2.69 of the Chrome extension and has begun a reimbursement process for affected customers. The company stated that claims are being reviewed individually to prevent fraud and distinguish legitimate victims from malicious actors.

Trust Wallet said it has introduced additional monitoring and tighter controls around its release pipeline to prevent similar incidents. The company emphasized that Shai-Hulud was not a targeted attack against a single organization but an industry-wide supply chain compromise that leveraged trusted developer tools and dependencies to gain access.

The disclosure comes as researchers warn of the emergence of Shai-Hulud 3.0, a newer iteration of the campaign that focuses on improved obfuscation, more robust error handling, and better Windows compatibility. According to Upwind researchers Guy Gilad and Moshe Hassan, the latest version does not introduce new exploitation techniques but is designed to increase stealth and longevity while continuing to target secrets on developer machines.