Trust Wallet on Tuesday revealed that the second iteration of the Shai-Hulud (aka Sha1-Hulud) supply chain outbreak in November 2025 was likely responsible for the hack of its Google Chrome extension, ultimately resulting in the theft of approximately $8.5 million in assets.
“Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key,” the company said in a post-mortem published Tuesday.
“The attacker obtained full CWS API access via the leaked key, allowing builds to be uploaded directly without Trust Wallet’s standard release process, which requires internal approval/manual review.”
Subsequently, the attacker is said to have registered the domain “metrics-trustwallet[.]com” and pushed a trojanized version of the extension with a backdoor that’s capable of harvesting users’ wallet mnemonic phrases to the sub-domain “api.metrics-trustwallet[.]com.”
Cybersecurity company Koi said the malicious code triggers on every unlock and not just during seed phrase import, causing sensitive data to be exfiltrated regardless of whether victims used a password or biometrics, and whether the wallet extension had been used for months or just opened once after it was updated to version 2.68.
“The code loops through every wallet in the user’s account, not just the active one. If you had multiple wallets configured, all of them were compromised,” researchers Oren Yomtov and Yuval Ronen said. “Seed phrases are stuffed into a field called errorMessage inside what looks like standard unlock telemetry. A casual code review sees an analytics event tracking unlock success with some error metadata.”
The domain “metrics-trustwallet[.]com,” for its part, resolves to “138.124.70.40,” which is hosted on Stark Industries Solutions, a bulletproof hosting service provider that was incorporated in the U.K. in February 2022, just two weeks prior to Russia’s full-scale invasion of Ukraine. It has a history of enabling Russian state-sponsored cyber operations, as well as other cybercriminal activity.
Interestingly, Koi’s analysis also found that querying the server directly returned the response “He who controls the spice controls the universe,” a Dune reference that echoes similar references observed in the Shai-Hulud npm incident.
“The Last-Modified header reveals the infrastructure was staged by December 8 – over two weeks before the malicious update was pushed on December 24,” it added. “This wasn’t opportunistic. It was planned.”
The disclosure comes days after Trust Wallet urged about one million users of its Chrome extension to update to version 2.69 after a malicious update (version 2.68) was pushed by unknown threat actors on December 24, 2025, to the browser’s extension marketplace.
The security incident ultimately led to $8.5 million in cryptocurrency assets being drained from 2,520 wallet addresses to no less than 17 wallet addresses controlled by the attacker. The first wallet-draining activity was publicly reported a day after the malicious update.
Trust Wallet has since initiated a reimbursement claim process for impacted victims. The company noted that reviews of submitted claims are ongoing and are being handled on a case-by-case basis. It also stressed that processing times may vary with each case due to the need to distinguish between victims and bad actors, and further protect against fraud.
To prevent such breaches from occurring again, Trust Wallet said it has implemented additional monitoring capabilities and controls related to its release processes.
“Sha1-Hulud was an industry-wide software supply chain attack that affected companies across multiple sectors, including but not limited to crypto,” the company said. “It involved malicious code being introduced and distributed through commonly-used developer tooling. This allowed attackers to gain access through trusted software dependencies rather than directly targeting individual organizations.”
Trust Wallet’s disclosure coincides with the emergence of Shai-Hulud 3.0 with increased obfuscation and reliability improvements, while still remaining laser-focused on stealing secrets from developer machines.
“The primary difference lies in string obfuscation, error handling, and Windows compatibility, all aimed at increasing campaign longevity rather than introducing novel exploitation techniques,” Upwind researchers Guy Gilad and Moshe Hassan said.
