Trust Wallet recently confirmed that a supply chain attack known as Shai-Hulud led to an $8.5 million hack of its Google Chrome extension in late 2025. By exploiting exposed GitHub secrets to bypass standard security reviews, attackers pushed a malicious update that stole seed phrases from over 2,500 users.
Trust Wallet disclosed that the November 2025 Shai-Hulud supply chain outbreak resulted in the theft of $8.5 million in digital assets. The breach occurred after developer secrets were exposed on GitHub, providing attackers with the API keys necessary to access the Chrome Web Store. This access allowed the hackers to bypass the company’s internal manual review process and upload a compromised version of the browser extension directly to the public.
Once they gained control, the attackers registered a deceptive domain to host a backdoor capable of harvesting mnemonic seed phrases. Security researchers discovered that the malicious code was designed to trigger every time a user unlocked their wallet, regardless of whether they used a password or biometrics. Furthermore, the malware was programmed to loop through every wallet associated with a user’s account, ensuring that all stored funds were vulnerable to exfiltration.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
The stolen data was disguised as standard analytics telemetry to avoid detection during casual code reviews. Investigators traced the attack infrastructure to a hosting provider with a history of supporting cybercriminal activity and state-sponsored operations. Evidence suggests the attack was meticulously planned weeks in advance, with the malicious infrastructure staged well before the trojanized update was officially pushed to users on December 24, 2025.
The impact of the breach was significant, affecting approximately 2,520 wallet addresses and draining funds into 17 different addresses controlled by the threat actors. The incident prompted Trust Wallet to urge over one million users to update to a patched version of the extension immediately. While the first reports of drained wallets surfaced just one day after the malicious update, the full extent of the damage took several days to verify and disclose.
In the aftermath of the hack, Trust Wallet has launched a reimbursement program to compensate those who lost assets. The company is currently reviewing claims on a case-by-case basis to prevent fraudulent requests while it works to return funds to legitimate victims. To bolster its security moving forward, the firm has introduced stricter monitoring and new controls over its software release pipeline to prevent similar API-based exploits.
Source: Trust Wallet Chrome Extension Hack Drains 85M In Shai Hulud Supply Chain Attack