In December 2025, Trust Wallet suffered a supply chain attack targeting its Chrome browser extension. The attackers stole an estimated $8.5 million from the wallets of users whose private keys were stolen via the compromised extension.
Inside the Attack
While the Trust Wallet hack was executed in December 2025, the attack campaign began over a month earlier with the Sha1-Hulud attack targeting npm packages. This attack involved a worm that compromised npm developer accounts and inserted malicious code into legitimate repos, allowing them to steal additional developer credentials and propagate themselves.
As a result of the Sha1-Hulud incident, the attackers were able to gain access to the Trust Wallet source code and Chrome Web Store API key. This combination allowed the attacker to create a malicious version of the browser extension that redirected reporting using PostHog to an attacker-controlled domain (api-metrics-trustwallet.com). With the stolen API key, the attackers published the malicious code as version 2.68.
The attack was launched on December 24, 2025, and continued until 11:00 UTC on the 26th. Within this window, anyone using the Trust Wallet Chrome web browser extension and logged in would have their private keys sent to the attacker. As a result, an estimated $8.5 million was stolen from about 2,520 user wallets.
After detecting the incident, the Trust Wallet team deployed a legitimate version of the extension that removed the malicious functionality. It also promised to reimburse users who were affected by the malicious version of the wallet browser extension.
Lessons Learned from the Attack
The Trust Wallet attack is an example of the dangers of a supply chain attack on Web3 projects and their users. In this case, a sustained, industry-wide supply chain attack provided attackers with the source code and API keys required to deploy a malicious version of the Trust Wallet browser extension. This malicious update — deployed without the project’s standard review processes — was active for a couple of days before being detected, resulting in an estimated $8.5 million in losses.
This incident demonstrates the importance of strong deployment and monitoring processes for off-chain infrastructure as well as on-chain. Real-time monitoring of deployed code may have identified the unauthorized release and enabled it to be removed before it caused significant harm to the business.
Halborn has extensive experience in both the Web2 and Web3 spaces and offers advisory services designed to help projects implement processes and security controls to protect against a wide range of security threats. Get in touch to find out more.