Trust Wallet has disclosed that a major security breach affecting its Google Chrome browser extension was the result of the second wave of the Shai-Hulud supply chain attack, identified in November 2025. The incident led to the theft of nearly $8.5 million in cryptocurrency assets, marking one of the most significant browser extension compromises in the crypto ecosystem.
According to Trust Wallet, attackers gained access after the company’s developer GitHub secrets were exposed, which enabled unauthorized entry into the extension’s source code and the Chrome Web Store API. With full API access, the attackers were able to upload malicious builds directly, bypassing Trust Wallet’s internal approval and manual review mechanisms.
Following this access, the threat actors registered the domain metrics-trustwallet[.]com and deployed a compromised version of the Chrome extension. The malicious update communicated with the subdomain api.metrics-trustwallet[.]com, where a hidden backdoor harvested users’ wallet recovery phrases.
How the Attack Worked
Cybersecurity firm Koi revealed that the malicious logic was triggered every time the wallet was unlocked, not only during seed phrase imports. This meant that sensitive data was exfiltrated regardless of whether users relied on passwords or biometric authentication, and whether the extension was actively used or merely opened once after being updated to version 2.68.
Researchers Oren Yomtov and Yuval Ronen noted that the malware iterated through all wallets linked to a user account, not just the currently active one. As a result, users with multiple wallets saw all of them compromised. The stolen recovery phrases were discreetly embedded into a field labeled errorMessage, making the traffic appear like routine analytics data related to unlock events, thereby avoiding casual detection.
Infrastructure and Attribution Clues
Analysis showed that metrics-trustwallet[.]com resolved to the IP address 138.124.70.40, hosted by Stark Industries Solutions. This hosting provider, incorporated in the United Kingdom in early 2022, has previously been associated with Russian state-aligned cyber operations and other illicit online activity.
Investigators also observed a response message from the server stating, “He who controls the spice controls the universe,” a reference to the Dune franchise. This echoed similar references seen during the earlier Shai-Hulud npm-related incidents, strengthening the link between the campaigns.
Header data indicated that the malicious infrastructure had been staged as early as December 8, more than two weeks before the infected extension update was released on December 24, 2025, suggesting a carefully planned operation rather than an opportunistic attack.
Impact and Response
The malicious update led to cryptocurrency theft from 2,520 wallet addresses, with funds consolidated into at least 17 attacker-controlled wallets. Public reports of wallet draining surfaced within a day of the compromised update being published.
Trust Wallet subsequently urged approximately one million Chrome extension users to upgrade to version 2.69, which removed the malicious code. The company has also launched a reimbursement claim process for affected users, stating that claims are being reviewed individually. Trust Wallet emphasized that verification is necessary to differentiate genuine victims from potential fraudulent claims.
To reduce the likelihood of similar incidents in the future, the company has implemented enhanced monitoring and additional controls across its release pipeline.
Broader Supply Chain Threat
Trust Wallet described Shai-Hulud as a cross-industry supply chain attack that impacted organizations beyond the cryptocurrency sector. The campaign relied on injecting malicious code into trusted development tools and dependencies, allowing attackers to infiltrate systems indirectly rather than targeting companies head-on.
At the same time, researchers have identified the emergence of Shai-Hulud 3.0, which introduces stronger obfuscation, improved error handling, and better Windows compatibility. According to analysts, these updates are designed to extend the campaign’s lifespan and reliability, while maintaining a primary focus on stealing sensitive developer credentials.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
