The hacking of the Trust Wallet Chrome extension, which occurred in November 2025, has exposed serious vulnerabilities in the company’s security, resulting in the theft of approximately 8.5 million dollars in assets. In a post-incident analysis, Trust Wallet revealed that the secrets of its GitHub repository were exposed, allowing the attacker to access the source code of the extension and the API key for the Chrome Web Store (CWS).
A million-dollar robbery
With full access to the CWS API thanks to the leaked key, the attacker was able to upload malicious versions of the extension without going through the usual Trust Wallet review process. A malicious domain, “metrics-trustwallet[.]com”, was registered, where a trojanized version of the extension was distributed, designed to steal users’ mnemonic phrases and provide unauthorized access to their wallets.
This attack occurs in a broader context of a software supply chain incident known as Sha1-Hulud. This attack has affected multiple companies, allowing attackers to introduce malicious code through commonly used development tools. The new version of this malware, Shai-Hulud 3.0, has arrived with improvements in obfuscation and reliability, which could make its detection more difficult.
In light of this event, Trust Wallet has initiated a refund claim process for the victims, handling each case individually to protect against fraud. The company has also implemented additional monitoring capabilities and controls related to its launch processes, in order to prevent future incidents of this nature.
In a message following the attack, Trust Wallet warned about a million users of its extension to update to version 2.69, after a malicious update was made available. The recovery of stolen assets and the restoration of user trust will be essential in the coming months for the platform.