Chrome extension compromise resulted in millions of theft
Trust Wallet recently disclosed that the Sha1-Hulur supply chain attack last year in November might be responsible for the compromise of its Google Chrome extension, causing $8.5 million assets theft.
About the incident
According to the company, its "developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key." The attacker obtained full CWS API access via the leaked key, allowing builds to be uploaded directly without Trust Wallet's standard release process, which requires internal approval/manual review."
Later, the threat actor registered the domain "metrics-trustwallet[.]com" and deployed a malware variant of the extension with a backdoor that could harvest users' wallet mnemonic phrases to the sub-domain "api.metrics-trustwallet[.]com."
Attack tactic
According to Koi, a cybersecurity company, the infected code activates with each unlock causing sensitive data to be harvested. It doesn't matter if the victims used biometrics or password, and if the wallet extension was opened once after the 2.68 version update or in use for months.
The researchers Yuval Ronen and Oren Yomtov reported that, "the code loops through every wallet in the user's account, not just the active one. If you had multiple wallets configured, all of them were compromised. Seed phrases are stuffed into a field called errorMessage inside what looks like standard unlock telemetry. A casual code review sees an analytics event tracking unlock success with some error metadata."
Movie “Dune” reference? Yes.
Besides this, the analysis also revealed that querying the server directly gave the reply "He who controls the spice controls the universe." It's a Dune reference that is found in similar incidents like the Shai-Hulud npm. "The Last-Modified header reveals the infrastructure was staged by December 8 – over two weeks before the malicious update was pushed on December 24," it added. "This wasn't opportunistic. It was planned."
The findings came after Trust Wallet requested its one million users of Chrome extension to update to variant 2.69 after a malicious update (variant 2.68) was triggered by unknown hackers on December 24, 2025, in the browser's extension marketplace.
The breach caused $8.5 million loss in cryptocurrency assets being stolen from 2,520 wallet addresses. The wallet theft was first reported after the malicious update.
Control measures
Post-incident, Trust Wallet has started a reimbursement claim process for affected victims. The company has implemented additional monitoring measures related to its release processes.
