Trust Wallet Chrome Extension Hack (December 2025)
Summary
On December 24, 2025, a malicious version (v2.68) of the Trust Wallet Chrome extension was published to the Chrome Web Store using a stolen Chrome Web Store API key obtained via the Shai-Hulud 2.0 npm supply chain worm in November 2025. The backdoored extension silently exfiltrated decrypted seed phrases from 2,520 to 2,596 wallet addresses (figure varies by source and verification cutoff) to an attacker-controlled server, resulting in approximately $7–8.5 million in cryptocurrency losses over roughly 48 hours. Trust Wallet (a Binance subsidiary) voluntarily committed to reimbursing all verified victims and released an emergency clean patch (v2.69) on December 26, 2025.
Connected Entities
1 entities · 10 linked investigations- + 3 more
Timeline(13 events)
2025-09-01
Initial Shai-Hulud npm supply chain worm first observed targeting the npm ecosystem, harvesting developer credentials.
Palo Alto Unit 422025-11-24
Shai-Hulud 2.0 campaign peaks: over 640 npm packages infected and more than 25,000 malicious data-leaking GitHub repositories created. Trust Wallet's developer GitHub secrets, including its Chrome Web Store API key, are exposed in the campaign.
SecurityWeek / Security Affairs2025-12-08
Attacker registers domain metrics-trustwallet.com (and subdomain api.metrics-trustwallet.com) at 02:28:18 UTC via registrar NICENIC INTERNATIONAL, pre-staging exfiltration infrastructure more than two weeks before deployment.
SlowMist / BlockSec analysis2025-12-09
Microsoft Security Blog publishes Shai-Hulud 2.0 detection and defense guidance, indicating broad industry awareness of the credential-theft campaign.
Microsoft Security Blog2025-12-21
First observed outbound request to api.metrics-trustwallet.com, indicating the attacker was testing or warming up the exfiltration endpoint.
SlowMist / Rescana analysis2025-12-24
Malicious Trust Wallet Chrome extension v2.68 submitted and published to Chrome Web Store at 12:32 UTC using the stolen CWS API key. Google's automated review passes the build. Wallet-draining begins as users unlock wallets.
Trust Wallet official post-mortem / BleepingComputer2025-12-25
On-chain investigator ZachXBT flags wallet-draining activity via Telegram, identifying attacker-controlled addresses receiving funds from hundreds of victims. Trust Wallet's security team and analytics partners independently flag the activity.
The Block / CryptoTimes2025-12-26
Trust Wallet issues emergency user alert and releases clean patch v2.69 (functionally v2.67 code). Exfiltration window closes at approximately 11:00 UTC per Trust Wallet's official statement. CoinDesk publishes first major media coverage.
Trust Wallet official / CoinDesk2025-12-28
Shai-Hulud 3.0 variant discovered, incorporating TruffleHog for credential scanning and removing the 'dead man switch' wiper functionality present in earlier versions.
SecurityWeek2025-12-29
Trust Wallet CEO Eowyn Chen publicly confirms 2,596 affected wallet addresses, approximately $7 million in losses, and voluntary reimbursement commitment. New Shai-Hulud repository creation drops to a handful per day.
BleepingComputer / Trust Wallet2025-12-30
Trust Wallet publishes official incident statement on its blog detailing attack vector, scope, remediation actions, and reimbursement process.
Trust Wallet official blog2026-01-01
BleepingComputer identifies attacker-registered follow-on phishing domain fix-trustwallet.com impersonating Trust Wallet's remediation guidance to harvest seed phrases from victims.
BleepingComputer2026-02-14
Trust Wallet's reimbursement claim submission deadline. Approximately 95% of claims for affected funds reported received, with remaining claims under review.
Phemex NewsDecision Log
- hash: DeCkT33pxTU7XiCJ3AKjF7grM8ZYx5gb3QantD5wRoJD
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 6/2/2026, 8:11:42 PM
last updated: 6/2/2026, 8:12:12 PM
avoid.net — verified advice for a post-truth world