Trust Wallet Reveals Details of $8.5 Million Hack

Trust Wallet reports $8.5M hack via compromised browser extension.

The Trust Wallet team released a report on the incident that occurred on December 26. Attackers compromised the browser extension and extracted assets worth $8.5 million.

According to the statement, the attack affected 2,520 addresses. The developers have pledged to fully compensate the victims for their losses.

How It Happened

The breach was caused by a large-scale supply chain attack known as Sha1-Hulud, identified back in November. At that time, hackers gained access to developers’ secrets on GitHub and the API key for the Chrome Web Store.

Using the stolen data, the attackers:

1. Uploaded a malicious version of the extension (2.68) to the Chrome Web Store, bypassing Trust Wallet’s internal controls.
2. Registered the domain metrics-trustwallet.com to collect confidential data (seed phrases and private keys).
3. Automatically distributed the update among users after passing Google’s review.

The malicious version was active from December 24 to 26. After discovering the issue, the team rolled back the extension to the secure version 2.69 and revoked the compromised keys.

Who Was Affected

The vulnerability exclusively affected users of the desktop extension version 2.68 who accessed the wallet on the specified dates. The Trust Wallet mobile app and other extension versions remained secure.

Analysts identified 17 addresses controlled by the hacker. The total damage amounted to $8.5 million.

“We view this incident not only as a critical lesson for us but also as a turning point for the entire industry regarding supply chain attacks,” noted Trust Wallet.

Compensation Process

The company has already begun working with the victims of the hack. To receive compensation, users must submit an application through the official support form and verify wallet ownership.

Trust Wallet highlighted the complexity of the process due to a surge of fraudsters. More than 5,000 applications have already been submitted for 2,520 affected addresses. The team urged users to be patient and wary of phishing: official support never requests seed phrases.

To prevent similar situations in the future, the project has strengthened security measures, including code dependency audits and credential rotation.

Back in 2025, the volume of funds stolen through phishing attacks decreased by 83%, amounting to $83.85 million, according to SlowMist.