Verify a decision

{"actor":"system:backfill","investigation_id":"40f85575-158e-4c12-a6af-109fdecce653","kind":"publish","page_slug":"trust-wallet-chrome-extension-hack-december-2025","published_at":"2026-06-02T20:12:12.539Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Trust Wallet Chrome Extension Hack (December 2025)","sections":[{"content":"The December 2025 Trust Wallet incident is classified by security researchers as a software supply chain attack, specifically a credential-theft-to-publisher-abuse chain. Trust Wallet itself is the primary victim organization — the attack did not exploit a flaw in Trust Wallet's own cryptography or wallet architecture but rather compromised the organization's software distribution credentials. The fault vector is two-layered: (1) Trust Wallet's developer secrets were inadequately protected against the industry-wide Shai-Hulud 2.0 supply chain worm, and (2) Google's Chrome Web Store automated review process failed to detect obfuscated credential-harvesting code submitted via a legitimate but stolen publisher API key. Mobile application users and users of other browser extension versions were explicitly unaffected; only users who ran Chrome extension v2.68 and unlocked their wallet between December 24 and December 26, 2025 at 11:00 UTC had their seed phrases exposed.","heading":"Incident Overview and Classification","severity":"critical","sources":[{"credibility":1,"name":"Trust Wallet Browser Extension v2.68 Incident: An Update to Our Community","type":"official","url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"credibility":2,"name":"Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attack — The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html"},{"credibility":2,"name":"Explained: The Trust Wallet Hack (December 2025) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-trust-wallet-hack-december-2025"}]},{"content":"The proximate root cause traces to the Shai-Hulud 2.0 campaign, a self-replicating npm worm first observed in late November 2025. The worm infected over 640 npm packages within days and created more than 25,000 attacker-controlled GitHub repositories at its peak on November 24, 2025. It executed during the npm pre-install phase via a script (setup_bun.js) that installed the Bun JavaScript runtime, then ran a heavily obfuscated credential-harvesting payload. The payload scanned developer environments for secrets including GitHub personal access tokens, cloud API keys, SSH keys, npm publish tokens, and other credentials, exfiltrating them to auto-generated public GitHub repositories with descriptions referencing 'Sha1-Hulud: The Second Coming.' Trust Wallet's developer GitHub secrets — including the Chrome Web Store publisher API key for the Trust Wallet extension — were exposed in this campaign. Microsoft's Security Blog published detailed Shai-Hulud 2.0 detection guidance on December 9, 2025, indicating awareness of the campaign was widespread in the security community before the Trust Wallet extension was published. A separate Shai-Hulud 3.0 variant was discovered on December 28, 2025, incorporating TruffleHog for credential scanning and removing the earlier 'dead man switch' wiper function.","heading":"Supply Chain Root Cause: Shai-Hulud 2.0","severity":"critical","sources":[{"credibility":1,"name":"Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heist — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/shai-hulud-supply-chain-attack-led-to-8-5-million-trust-wallet-heist/"},{"credibility":1,"name":"Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/"},{"credibility":2,"name":"Trust Wallet confirms second Shai-Hulud supply-chain attack, $8.5M in crypto stolen — Security Affairs","type":"news_article","url":"https://securityaffairs.com/186398/hacking/trust-wallet-confirms-second-shai-hulud-supply-chain-attack-8-5m-in-crypto-stolen.html"},{"credibility":1,"name":"640 NPM Packages Infected in New 'Shai-Hulud' Supply Chain Attack — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/640-npm-packages-infected-in-new-shai-hulud-supply-chain-attack/"},{"credibility":1,"name":"Shai-Hulud Worm Compromises npm Ecosystem in Supply Chain Attack — Palo Alto Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/npm-supply-chain-attack/"}]},{"content":"With the stolen Chrome Web Store API key in hand, the attacker prepared a trojanized version of the Trust Wallet extension. The attacker registered the domain metrics-trustwallet.com on December 8, 2025 at 02:28:18 UTC — over two weeks before the malicious extension was pushed — indicating deliberate pre-staging. The first observed outbound request to api.metrics-trustwallet.com occurred on December 21, 2025. On December 24, 2025 at 12:32 UTC, the attacker uploaded v2.68 to the Chrome Web Store using the stolen API key. The submission bypassed Trust Wallet's internal manual release approval process, and Google's Chrome Web Store automated review passed the build. Two JavaScript files were modified in the malicious build. File 4482.js redirected PostHog analytics initialization from Trust Wallet's legitimate telemetry endpoint to api.metrics-trustwallet.com, using the open-source posthog-js library as a covert data channel. File 8423.js, injected into both password and biometric authentication paths, iterated through every wallet stored in the extension upon unlock, issued a GET_SEED_PHRASE request for each, decrypted the mnemonic using the user's just-entered password or passkey, and embedded the plaintext seed phrase in a field labeled errorMessage inside what appeared to be a standard analytics unlock event. Data was GZIP-compressed and transmitted via HTTPS POST to api.metrics-trustwallet.com, a domain specifically designed to appear as a legitimate Trust Wallet telemetry endpoint. The attacker's exfiltration server (IP 138.124.70.40) was hosted on Stark Industries Solutions (AS44477), a bulletproof hosting provider with documented associations to Russian cybercriminal infrastructure. Port 5000 on the same server exposed a Synology DiskStation (DSM 6.2) login page, suggesting the attacker used a NAS device as part of the exfiltration infrastructure. When queried directly, the server returned 'He who controls the spice controls the universe,' a Dune reference consistent with naming conventions used in the Shai-Hulud npm campaign. Security firm BlockSec characterized the operation as a 'professional APT-level attack.'","heading":"Attack Execution and Malicious Code Analysis","severity":"critical","sources":[{"credibility":2,"name":"Trust Wallet Incident: A Stolen API Key Turns the Official Update Channel into a Backdoor — BlockSec Blog","type":"research","url":"https://blocksec.com/blog/trust-wallet-incident-a-stolen-api-key-turns-the-official-update-channel-into-a-backdoor"},{"credibility":2,"name":"Trust Wallet Hack: Inside the Code That Stole $7M on Christmas Eve — Koi.ai","type":"research","url":"https://www.koi.ai/blog/trust-wallet-binance-compromised-inside-the-code-that-stole-7m-on-christmas-eve"},{"credibility":2,"name":"Christmas Heist: Analysis of Trust Wallet Browser Extension Hack — SlowMist via Medium","type":"research","url":"https://slowmist.medium.com/christmas-heist-analysis-of-trust-wallet-browser-extension-hack-bdb35c3cc6dd"},{"credibility":2,"name":"Trust Wallet Browser Extension Breach — Verichains Blog","type":"research","url":"https://blog.verichains.io/p/trust-wallet-browser-extension-breach"},{"credibility":2,"name":"Trust Wallet Chrome Extension Supply Chain Attack — Rescana","type":"research","url":"https://www.rescana.com/post/trust-wallet-chrome-extension-supply-chain-attack-7-million-cryptocurrency-theft-via-compromised-v"}]},{"content":"Trust Wallet's official post-mortem identified approximately $7 million in confirmed losses across 2,596 affected wallet addresses (Trust Wallet's own figure per CEO Eowyn Chen, as reported by BleepingComputer). Security researchers citing broader on-chain analysis reported up to $8.5 million associated with 17 attacker-controlled addresses and 2,520 affected victim wallets; the discrepancy reflects different attribution cutoffs and whether wallets outside Trust Wallet's own verification are included. Stolen assets comprised approximately $3 million in Bitcoin (approximately 33 BTC), over $3 million in Ethereum and EVM-compatible tokens, and approximately $431 in Solana. Fund flows tracked by on-chain researchers showed approximately $2.8 million remaining in the attacker's self-custody wallets across Bitcoin, EVM chains, and Solana; approximately $3.3 million routed to ChangeNOW; approximately $340,000 to FixedFloat; and approximately $447,000 to KuCoin. The use of non-KYC or lightly-regulated exchange infrastructure to launder the majority of funds is consistent with patterns observed in prior browser-extension crypto thefts. A follow-up phishing campaign exploiting the incident was also identified: attackers registered fix-trustwallet.com to impersonate Trust Wallet's official remediation guidance and solicit seed phrases from victims, per BleepingComputer.","heading":"Financial Impact and Fund Flows","severity":"critical","sources":[{"credibility":1,"name":"Trust Wallet says 2,596 wallets drained in $7 million crypto theft attack — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/trust-wallet-says-7-million-crypto-theft-attack-drained-2-596-wallets/"},{"credibility":2,"name":"Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attack — The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html"},{"credibility":2,"name":"Trust Wallet users lose at least $6 million in security breach, ZachXBT finds — The Block","type":"news_article","url":"https://www.theblock.co/post/383735/trust-wallet-extension-incident"},{"credibility":1,"name":"Users of Binance-owned Trust Wallet lose $7 million to hacked Chrome extension — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2025/12/26/trust-wallet-users-lose-more-than-usd7-million-to-hacked-chrome-extension"}]},{"content":"Trust Wallet CEO Eowyn Chen stated publicly: 'The malicious extension v2.68 was NOT released through our internal manual process' and confirmed that the attacker submitted it via the stolen Chrome Web Store API key. Trust Wallet took the following immediate actions: (1) took down the malicious extension and reported the exfiltration domain api.metrics-trustwallet.com to registrar NiceNIC, which promptly suspended the domain; (2) expired all Chrome Web Store publisher API keys and paused new extension releases; (3) released a clean emergency patch, v2.69 (functionally a rollback of v2.67 code), on December 26, 2025; (4) notified approximately 1 million Chrome extension users to update immediately and migrate assets to new wallet addresses; and (5) committed to voluntary reimbursement of all verified affected users. Binance co-founder Changpeng Zhao publicly confirmed user funds 'are SAFU' and would be reimbursed. Trust Wallet received over 5,000 reimbursement claims despite identifying approximately 2,520–2,596 verifiably affected wallet addresses, indicating a substantial volume of duplicate and fraudulent submissions attempting to exploit the compensation program. Trust Wallet set a claims deadline of February 14, 2026. As of the initial compensation cycle completion (reported by Phemex News in early 2026), approximately 95% of claims for affected funds had been submitted, with remaining claims under review. Trust Wallet also introduced a Customer Support Verification Code (CSVC) in v2.71.0 to authenticate claimants, and published updated guidance for migrating assets from any wallet address associated with v2.68. Post-incident remediation commitments included: tighter access controls and credential rotation across all publishing pipelines; enhanced supply chain and dependency scanning; improved anomaly detection across release and publishing workflows; and strengthened incident detection, response, and communications processes.","heading":"Trust Wallet's Response and Remediation","severity":"high","sources":[{"credibility":1,"name":"Trust Wallet Browser Extension v2.68 Incident: An Update to Our Community — Trust Wallet Official","type":"official","url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"credibility":1,"name":"Trust Wallet confirms extension hack led to $7 million crypto theft — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/trust-wallet-says-7-million-crypto-theft-attack-drained-2-596-wallets/"},{"credibility":2,"name":"Trust Wallet Completes Initial Compensation for Security Incident — Phemex News","type":"news_article","url":"https://phemex.com/news/article/trust-wallet-completes-initial-compensation-for-v268-security-incident-53715"},{"credibility":2,"name":"Trust Wallet on X: confirmed $7M impacted, reimbursement commitment","type":"official","url":"https://x.com/TrustWallet/status/2004475085168795941"},{"credibility":2,"name":"Trust Wallet CSVC verification code for reimbursement — Trust Wallet on X","type":"official","url":"https://x.com/TrustWallet/status/2007510820213633228"},{"credibility":1,"name":"Security Notice: Trust Wallet Browser Extension Version 2.68 Vulnerability — Trust Wallet Support","type":"official","url":"https://support.trustwallet.com/support/solutions/articles/67000750069-security-notice-trust-wallet-browser-extension-version-2-68-vulnerability"}]},{"content":"On-chain investigator ZachXBT first flagged the wallet-draining activity on December 25, 2025 via Telegram and social media, identifying multiple attacker-controlled addresses receiving funds from hundreds of affected wallets. This public alert was one of the first indicators that spurred Trust Wallet to confirm the incident. On-chain researcher 0xAkinator also independently tracked attacker wallet activity. ZachXBT's initial on-chain analysis suggested losses of at least $6 million; subsequent consolidated figures from Trust Wallet and third-party analytics converged at approximately $7–8.5 million depending on attribution scope. CoinDesk and The Block both cited ZachXBT's findings as the initial public reporting basis. Trust Wallet's official timeline credits 'security researchers and analytics partners' for flagging the draining activity on December 25.","heading":"Third-Party Detection: ZachXBT and 0xAkinator","severity":"medium","sources":[{"credibility":2,"name":"Trust Wallet users lose at least $6 million in security breach, ZachXBT finds — The Block","type":"news_article","url":"https://www.theblock.co/post/383735/trust-wallet-extension-incident"},{"credibility":2,"name":"Trust Wallet Chrome Extension Hack Drains Over $6M from Users: ZachXBT — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2025/12/26/trust-wallet-chrome-extension-hack-drains-over-6m-from-users-zachxbt/"},{"credibility":2,"name":"Trust Wallet Users at Risk? ZachXBT Flags Security Warning — BeInCrypto","type":"news_article","url":"https://beincrypto.com/zachxbt-trust-wallet-security-warning-user-funds-drained/"}]},{"content":"The malicious v2.68 extension passed Google's Chrome Web Store automated review and was distributed to the extension's roughly 1 million users as a legitimate update. This represents a material security gap: obfuscated credential-harvesting code disguised as analytics telemetry was not flagged by Google's review pipeline. Trust Wallet CEO Eowyn Chen explicitly confirmed: 'This successfully passed Chrome Web Store's review and was released on December 24, 2025, at 12:32 p.m. UTC.' The incident renewed industry discussion about the adequacy of Chrome Web Store automated review for high-risk extension categories such as crypto wallets and password managers, particularly when the malicious actor controls a legitimate publisher API key and the code is designed to mimic standard analytics traffic. No public statement from Google regarding review process failures was identified at the time of this writing.","heading":"Google Chrome Web Store Review Failure","severity":"high","sources":[{"credibility":1,"name":"Trust Wallet confirms extension hack led to $7 million crypto theft — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/trust-wallet-says-7-million-crypto-theft-attack-drained-2-596-wallets/"},{"credibility":3,"name":"Trust Wallet Chrome Extension Hack: $8.5 Million Stolen via v2.68 — H2S Media","type":"news_article","url":"https://www.how2shout.com/news/trust-wallet-chrome-extension-hack-8-5-million-stolen-v2-68-2025.html"}]},{"content":"The Trust Wallet v2.68 incident occurred against a backdrop of record-high crypto theft in 2025. CoinDesk reported that total crypto theft in 2025 reached $6.75 billion, with personal wallet compromises surging to 158,000 cases (up from approximately 64,000 the prior year). The incident is frequently cited in security research as among the largest single browser extension-based crypto thefts on record, though the intake materials' description of it as definitively 'the largest' is not independently corroborated by a verifiable ranking source and should be treated as an approximation. The attack illustrates a class of risk specific to browser-extension wallets: the software distribution channel itself becomes an attack surface when developer credentials are compromised. Security researchers mapped the attack to multiple MITRE ATT&CK techniques: supply chain compromise (T1195.002), use of valid credentials (T1078), input capture (T1056), credential store access (T1555), data collection (T1213), exfiltration over web service (T1567.002), and application layer C2 (T1071.001). The Shai-Hulud 2.0 campaign also compromised developer environments at Zapier, PostHog, Postman, and AsyncAPI, though no comparable distribution-channel exploit was reported for those organizations.","heading":"Broader Industry Context","severity":"medium","sources":[{"credibility":1,"name":"Users of Binance-owned Trust Wallet lose $7 million to hacked Chrome extension — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2025/12/26/trust-wallet-users-lose-more-than-usd7-million-to-hacked-chrome-extension"},{"credibility":2,"name":"Trust Wallet Chrome Extension Supply Chain Attack — Rescana (MITRE ATT&CK mapping)","type":"research","url":"https://www.rescana.com/post/trust-wallet-chrome-extension-supply-chain-attack-7-million-cryptocurrency-theft-via-compromised-v"},{"credibility":3,"name":"Supply Chain Risks in Web3 Infrastructure: A Post-Mortem on the Trust Wallet Chrome Extension Hack — AInvest","type":"news_article","url":"https://www.ainvest.com/news/supply-chain-risks-web3-infrastructure-post-mortem-trust-wallet-chrome-extension-hack-2601/"},{"credibility":1,"name":"Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/"}]},{"content":"Trust Wallet's official guidance stated that any user who ran Chrome extension v2.68 and unlocked their wallet between December 24 and December 26, 2025 at 11:00 UTC should consider their seed phrase permanently compromised, regardless of whether theft has been observed. Trust Wallet advised such users to: (1) update immediately to v2.69 or later; (2) create a new wallet with a fresh seed phrase; (3) transfer all assets to the new wallet using the 'Migrate assets' feature; and (4) submit a reimbursement claim via the official form at be-support.trustwallet.com before the February 14, 2026 deadline (now expired). Users are warned that impersonator support accounts and fake compensation forms (e.g., fix-trustwallet.com) emerged following the incident and should not be trusted. The Customer Support Verification Code (CSVC) introduced in v2.71.0 is Trust Wallet's mechanism to authenticate legitimate claimants.","heading":"User Risk Guidance","severity":"high","sources":[{"credibility":1,"name":"Trust Wallet Browser Extension v2.68 Incident: An Update to Our Community — Trust Wallet Official","type":"official","url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"credibility":2,"name":"Hidden script caught harvesting private keys as Trust Wallet issues emergency warning for Chrome users — CryptoSlate","type":"news_article","url":"https://cryptoslate.com/trust-wallet-just-issued-an-emergency-warning-for-chrome-users-after-a-hidden-script-was-caught-harvesting-private-keys/"},{"credibility":2,"name":"Trust Wallet Hack Victim? Here Is Your Compensation 101 — U.Today","type":"news_article","url":"https://u.today/trust-wallet-hack-victim-here-is-your-compensation-101"}]}],"sources_used":[{"credibility":1,"name":"Trust Wallet Browser Extension v2.68 Incident: An Update to Our Community","type":"official","url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"credibility":2,"name":"Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attack — The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html"},{"credibility":1,"name":"Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heist — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/shai-hulud-supply-chain-attack-led-to-8-5-million-trust-wallet-heist/"},{"credibility":1,"name":"Users of Binance-owned Trust Wallet lose $7 million to hacked Chrome extension — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2025/12/26/trust-wallet-users-lose-more-than-usd7-million-to-hacked-chrome-extension"},{"credibility":2,"name":"Explained: The Trust Wallet Hack (December 2025) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-trust-wallet-hack-december-2025"},{"credibility":1,"name":"Trust Wallet says 2,596 wallets drained in $7 million crypto theft attack — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/trust-wallet-says-7-million-crypto-theft-attack-drained-2-596-wallets/"},{"credibility":2,"name":"Trust Wallet confirms second Shai-Hulud supply-chain attack, $8.5M in crypto stolen — Security Affairs","type":"news_article","url":"https://securityaffairs.com/186398/hacking/trust-wallet-confirms-second-shai-hulud-supply-chain-attack-8-5m-in-crypto-stolen.html"},{"credibility":1,"name":"Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack — Microsoft Security Blog","type":"research","url":"https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/"},{"credibility":2,"name":"Trust Wallet Incident: A Stolen API Key Turns the Official Update Channel into a Backdoor — BlockSec Blog","type":"research","url":"https://blocksec.com/blog/trust-wallet-incident-a-stolen-api-key-turns-the-official-update-channel-into-a-backdoor"},{"credibility":2,"name":"Christmas Heist: Analysis of Trust Wallet Browser Extension Hack — SlowMist via Medium","type":"research","url":"https://slowmist.medium.com/christmas-heist-analysis-of-trust-wallet-browser-extension-hack-bdb35c3cc6dd"},{"credibility":2,"name":"Trust Wallet users lose at least $6 million in security breach, ZachXBT finds — The Block","type":"news_article","url":"https://www.theblock.co/post/383735/trust-wallet-extension-incident"},{"credibility":1,"name":"640 NPM Packages Infected in New 'Shai-Hulud' Supply Chain Attack — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/640-npm-packages-infected-in-new-shai-hulud-supply-chain-attack/"},{"credibility":1,"name":"Shai-Hulud Worm Compromises npm Ecosystem in Supply Chain Attack — Palo Alto Unit 42","type":"research","url":"https://unit42.paloaltonetworks.com/npm-supply-chain-attack/"},{"credibility":2,"name":"Trust Wallet Hack: Inside the Code That Stole $7M on Christmas Eve — Koi.ai","type":"research","url":"https://www.koi.ai/blog/trust-wallet-binance-compromised-inside-the-code-that-stole-7m-on-christmas-eve"},{"credibility":2,"name":"Trust Wallet Chrome Extension Supply Chain Attack — Rescana","type":"research","url":"https://www.rescana.com/post/trust-wallet-chrome-extension-supply-chain-attack-7-million-cryptocurrency-theft-via-compromised-v"},{"credibility":2,"name":"Trust Wallet Browser Extension Breach — Verichains Blog","type":"research","url":"https://blog.verichains.io/p/trust-wallet-browser-extension-breach"},{"credibility":2,"name":"Trust Wallet Completes Initial Compensation for Security Incident — Phemex News","type":"news_article","url":"https://phemex.com/news/article/trust-wallet-completes-initial-compensation-for-v268-security-incident-53715"},{"credibility":2,"name":"Hidden script caught harvesting private keys as Trust Wallet issues emergency warning for Chrome users — CryptoSlate","type":"news_article","url":"https://cryptoslate.com/trust-wallet-just-issued-an-emergency-warning-for-chrome-users-after-a-hidden-script-was-caught-harvesting-private-keys/"},{"credibility":1,"name":"Security Notice: Trust Wallet Browser Extension Version 2.68 Vulnerability — Trust Wallet Support","type":"official","url":"https://support.trustwallet.com/support/solutions/articles/67000750069-security-notice-trust-wallet-browser-extension-version-2-68-vulnerability"},{"credibility":2,"name":"Trust Wallet on X: confirmed $7M impacted, reimbursement commitment","type":"official","url":"https://x.com/TrustWallet/status/2004475085168795941"},{"credibility":2,"name":"Nearly $8.5M pilfered from Trust Wallet in Shai Hulud malware attack — SC Media","type":"news_article","url":"https://www.scworld.com/brief/nearly-8-5m-pilfered-from-trust-wallet-in-shai-hulud-malware-attack"}],"summary":"On December 24, 2025, a malicious version (v2.68) of the Trust Wallet Chrome extension was published to the Chrome Web Store using a stolen Chrome Web Store API key obtained via the Shai-Hulud 2.0 npm supply chain worm in November 2025. The backdoored extension silently exfiltrated decrypted seed phrases from 2,520 to 2,596 wallet addresses (figure varies by source and verification cutoff) to an attacker-controlled server, resulting in approximately $7–8.5 million in cryptocurrency losses over roughly 48 hours. Trust Wallet (a Binance subsidiary) voluntarily committed to reimbursing all verified victims and released an emergency clean patch (v2.69) on December 26, 2025.","timeline":[{"date":"2025-09-01","event":"Initial Shai-Hulud npm supply chain worm first observed targeting the npm ecosystem, harvesting developer credentials.","source":"Palo Alto Unit 42","source_url":"https://unit42.paloaltonetworks.com/npm-supply-chain-attack/"},{"date":"2025-11-24","event":"Shai-Hulud 2.0 campaign peaks: over 640 npm packages infected and more than 25,000 malicious data-leaking GitHub repositories created. Trust Wallet's developer GitHub secrets, including its Chrome Web Store API key, are exposed in the campaign.","source":"SecurityWeek / Security Affairs","source_url":"https://www.securityweek.com/640-npm-packages-infected-in-new-shai-hulud-supply-chain-attack/"},{"date":"2025-12-08","event":"Attacker registers domain metrics-trustwallet.com (and subdomain api.metrics-trustwallet.com) at 02:28:18 UTC via registrar NICENIC INTERNATIONAL, pre-staging exfiltration infrastructure more than two weeks before deployment.","source":"SlowMist / BlockSec analysis","source_url":"https://slowmist.medium.com/christmas-heist-analysis-of-trust-wallet-browser-extension-hack-bdb35c3cc6dd"},{"date":"2025-12-09","event":"Microsoft Security Blog publishes Shai-Hulud 2.0 detection and defense guidance, indicating broad industry awareness of the credential-theft campaign.","source":"Microsoft Security Blog","source_url":"https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/"},{"date":"2025-12-21","event":"First observed outbound request to api.metrics-trustwallet.com, indicating the attacker was testing or warming up the exfiltration endpoint.","source":"SlowMist / Rescana analysis","source_url":"https://www.rescana.com/post/trust-wallet-chrome-extension-supply-chain-attack-7-million-cryptocurrency-theft-via-compromised-v"},{"date":"2025-12-24","event":"Malicious Trust Wallet Chrome extension v2.68 submitted and published to Chrome Web Store at 12:32 UTC using the stolen CWS API key. Google's automated review passes the build. Wallet-draining begins as users unlock wallets.","source":"Trust Wallet official post-mortem / BleepingComputer","source_url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"date":"2025-12-25","event":"On-chain investigator ZachXBT flags wallet-draining activity via Telegram, identifying attacker-controlled addresses receiving funds from hundreds of victims. Trust Wallet's security team and analytics partners independently flag the activity.","source":"The Block / CryptoTimes","source_url":"https://www.theblock.co/post/383735/trust-wallet-extension-incident"},{"date":"2025-12-26","event":"Trust Wallet issues emergency user alert and releases clean patch v2.69 (functionally v2.67 code). Exfiltration window closes at approximately 11:00 UTC per Trust Wallet's official statement. CoinDesk publishes first major media coverage.","source":"Trust Wallet official / CoinDesk","source_url":"https://www.coindesk.com/business/2025/12/26/trust-wallet-users-lose-more-than-usd7-million-to-hacked-chrome-extension"},{"date":"2025-12-28","event":"Shai-Hulud 3.0 variant discovered, incorporating TruffleHog for credential scanning and removing the 'dead man switch' wiper functionality present in earlier versions.","source":"SecurityWeek","source_url":"https://www.securityweek.com/shai-hulud-supply-chain-attack-led-to-8-5-million-trust-wallet-heist/"},{"date":"2025-12-29","event":"Trust Wallet CEO Eowyn Chen publicly confirms 2,596 affected wallet addresses, approximately $7 million in losses, and voluntary reimbursement commitment. New Shai-Hulud repository creation drops to a handful per day.","source":"BleepingComputer / Trust Wallet","source_url":"https://www.bleepingcomputer.com/news/security/trust-wallet-says-7-million-crypto-theft-attack-drained-2-596-wallets/"},{"date":"2025-12-30","event":"Trust Wallet publishes official incident statement on its blog detailing attack vector, scope, remediation actions, and reimbursement process.","source":"Trust Wallet official blog","source_url":"https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update"},{"date":"2026-01-01","event":"BleepingComputer identifies attacker-registered follow-on phishing domain fix-trustwallet.com impersonating Trust Wallet's remediation guidance to harvest seed phrases from victims.","source":"BleepingComputer","source_url":"https://www.bleepingcomputer.com/news/security/trust-wallet-says-7-million-crypto-theft-attack-drained-2-596-wallets/"},{"date":"2026-02-14","event":"Trust Wallet's reimbursement claim submission deadline. Approximately 95% of claims for affected funds reported received, with remaining claims under review.","source":"Phemex News","source_url":"https://phemex.com/news/article/trust-wallet-completes-initial-compensation-for-v268-security-incident-53715"}]},"v":1}