Trust Wallet Confirms $8.5M Supply-Chain Hack Caused by Leaked Chrome API Key

Trust Wallet Confirms $8.5M Supply-Chain Hack Caused by Leaked Chrome API Key

Trust Wallet has confirmed that a malicious browser extension update pushed over the Christmas holiday was responsible for approximately $8.5 million in stolen user funds, marking one of the most serious wallet supply-chain attacks of 2025.

In a detailed post-incident update, the company revealed that attackers exploited a leaked Google Chrome Web Store API key, allowing them to upload a compromised version of the Trust Wallet extension directly to the Chrome Store without going through internal code review or security checks.

Loading tweet...

— View original post

What Happened

Between December 24 and December 26, users who installed Trust Wallet browser extension version 2.68 unknowingly downloaded malware. Initial reports from the community flagged suspicious drains, which Trust Wallet has now confirmed involved malicious code designed to exfiltrate mnemonic seed phrases.

The malware disguised outbound data as routine analytics traffic sent to a fake domain (metrics-trustwallet.com) controlled by the attacker. Because the update was delivered through the official Chrome Web Store using valid credentials, it bypassed typical warning signs.

Trust Wallet has stated they have "high confidence" the incident is linked to "Sha1-Hulud," an industry-wide supply chain attack in November 2025 that exposed developer secrets across multiple tech sectors. The company believes this prior breach allowed attackers to access Trust Wallet's source code and the specific API key needed to publish updates.

Financial Impact and Response

The company has identified 2,520 affected wallet addresses, with total losses estimated at $8.5 million.

Trust Wallet has since:

• Revoked the compromised credentials and rolled back to a safe version (v2.69).
• Committed to voluntarily reimbursing all eligible victims, an unusually strong response in the crypto wallet sector.
• Implemented a new verification process to filter out thousands of false claims.

Users who installed version 2.68 are being urged to assume their wallets are compromised, move funds immediately, and regenerate seed phrases on a secure device.

Why This Matters

This incident highlights a critical industry-wide risk: even when application code is secure, control over distribution keys can become a single point of failure.

Unlike traditional smart contract exploits, this attack:

• Required no blockchain vulnerability.
• Targeted end users directly via trusted infrastructure (official app stores).
• Was timed during a holiday period when monitoring is typically lighter.

Security experts note that the sophistication of the attack suggests a highly organized threat actor, raising broader concerns about extension-based wallets and release-key management across the industry.

Keep More On Every Order: 0% Maker, 0.02% Taker

Sign Up Now

What Users Should Do Now

• Verify your extension version is 2.69 or higher.
• If version 2.68 was ever installed, treat the wallet as compromised.
• Move funds to a newly generated wallet immediately.
• Submit a claim via Trust Wallet's official support channels if you were affected.