Trust Wallet on Tuesday revealed that the second iteration of the Shai-Hulud (aka Sha1-Hulud) supply chain outbreak in November 2025 was likely responsible for the hack of its Google Chrome extension, ultimately resulting in the theft of approximately $8.5 million in assets.
“Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key,” the company said in a post-mortem published Tuesday.
“The attacker obtained full CWS API access via the leaked key, allowing builds to be uploaded directly without Trust Wallet’s standard release process, which requires internal approval/manual review.”
Subsequently, the attacker is said to have registered the domain “metrics-trustwallet[.]com” and pushed a trojanized version of the extension with a backdoor that’s capable of harvesting users’ wallet mnemonic phrases to the sub-domain “api.metrics-trustwallet[.]com.”
The disclosure comes days after Trust Wallet urged about one million users of its Chrome extension to update to version 2.69 after a malicious update (version 2.68) was pushed by unknown threat actors on December 24, 2025, to the browser’s extension marketplace.
The security incident ultimately led to $8.5 million in cryptocurrency assets being drained from 2,520 wallet addresses to no less than 17 wallet addresses controlled by the attacker. The first wallet-draining activity was publicly reported a day after the malicious update.
Trust Wallet has since initiated a reimbursement claim process for impacted victims. The company noted that reviews of submitted claims are ongoing and are being handled on a case-by-case basis. It also stressed that processing times may vary with each case due to the need to distinguish between victims and bad actors, and further protect against fraud.
To prevent such breaches from occurring again, Trust Wallet said it has implemented additional monitoring capabilities and controls related to its release processes.
“Sha1-Hulud was an industry-wide software supply chain attack that affected companies across multiple sectors, including but not limited to crypto,” the company said. “It involved malicious code being introduced and distributed through commonly-used developer tooling. This allowed attackers to gain access through trusted software dependencies rather than directly targeting individual organizations.”
Trust Wallet’s disclosure coincides with the emergence of Shai-Hulud 3.0 with increased obfuscation and reliability improvements, while still remaining laser-focused on stealing secrets from developer machines.
“The primary difference lies in string obfuscation, error handling, and Windows compatibility, all aimed at increasing campaign longevity rather than introducing novel exploitation techniques,” Upwind researchers Guy Gilad and Moshe Hassan said.
