Trust Wallet Suffers Major Cyber Breach: $8.5 Million in Assets Stolen
On Tuesday, Trust Wallet disclosed a significant security compromise stemming from the re-emergence of the Shai-Hulud supply chain attack, which occurred in November 2025. This incident has been linked to a breach of Trust Wallet’s Google Chrome extension, resulting in the loss of approximately $8.5 million across various cryptocurrency assets.
The company confirmed that the breach allowed attackers to access their Developer GitHub secrets, thus exposing the source code of their browser extension along with the Chrome Web Store API key. This access enabled the perpetrator to upload manipulated versions of the extension directly, bypassing Trust Wallet’s usual security protocols, which involve internal approval and manual review.
Following this unauthorized access, attackers registered the domain “metrics-trustwallet.com” and released a compromised version of the extension, embedding a backdoor designed to capture users’ wallet mnemonic phrases. Cybersecurity firm Koi reported that the malicious payload activates every time users unlock their wallets, exfiltrating sensitive information independent of how the wallet had been accessed, whether recently or after long periods of inactivity.
It’s important to note that the attack’s depth was such that it affected not just the active wallet but all configured wallets within an account. Researchers revealed that the compromised code stealthily concealed user mnemonic phrases within a standard telemetry field, disguising them as normal unlock events. This sophisticated approach complicates detection and highlights the potential for extensive data theft.
The domain associated with the attack points to a hosting service known for facilitating cyber operations, raising concerns about the infrastructure employed in orchestrating this breach. Notably, querying the server directly returned a message suggesting a planned and orchestrated attack rather than a spontaneous exploitation of vulnerabilities.
In response to the incident, Trust Wallet has initiated a reimbursement process for affected users, emphasizing a methodical review of claims to differentiate between genuine victims and potential fraudsters. Additionally, they are enhancing monitoring capabilities and control measures surrounding their release processes to mitigate the risks of future attacks.
The incident aligns with a broader pattern of supply chain attacks that have targeted various sectors, including the cryptocurrency space. Such attacks exploit trusted developer tools to insert malicious code, allowing attackers to gain unauthorized access through reliable software dependencies rather than directly targeting individual entities.
With the emergence of Shai-Hulud 3.0—believed to feature refined techniques for evading detection—Trust Wallet’s experience serves as a cautionary tale for other organizations. Understanding the tactics defined by the MITRE ATT&CK framework, such as initial access, persistence, and privilege escalation, can be critical in developing robust defenses against similar threats.
Trust Wallet’s experience underscores the importance of vigilance and the implementation of rigorous security measures within tech stacks, particularly in sectors where sensitive financial data is handled.