Trust Wallet has disclosed that a supply chain attack associated with the Shai-Hulud campaign was behind the recent compromise of its Google Chrome browser extension, an incident that resulted in the theft of approximately $8.5 million in cryptocurrency assets.
In a post-mortem released Tuesday, the company said the attack stemmed from the exposure of internal developer GitHub secrets, which granted the attacker unauthorized access to Trust Wallet’s browser extension source code as well as its Chrome Web Store (CWS) API key.
According to the company, possession of the leaked API key allowed the attacker to upload extension builds directly to the Chrome Web Store without passing through Trust Wallet’s standard release process, which normally requires internal approvals and manual review.
Following the breach, the attacker registered the domain metrics-trustwallet[.]com and distributed a trojanized version of the Chrome extension containing a hidden backdoor. The malicious code was designed to harvest users’ wallet mnemonic phrases and exfiltrate them to the subdomain api.metrics-trustwallet[.]com.
Cybersecurity firm Koi, which analyzed the malicious update, said the backdoor was triggered every time the wallet was unlocked, not only during seed phrase imports. As a result, sensitive information was exfiltrated regardless of whether users authenticated using passwords or biometrics, and irrespective of how long the extension had been installed.
Koi researchers Oren Yomtov and Yuval Ronen noted that the malware systematically iterated through every wallet associated with a user account, rather than limiting itself to the active wallet. In cases where multiple wallets were configured, all were compromised. Seed phrases were covertly embedded within a field labeled errorMessage, masquerading as routine telemetry data related to unlock events.
The domain used to receive the stolen data resolves to the IP address 138.124.70.40, which is hosted by Stark Industries Solutions, a bulletproof hosting provider. The company was incorporated in the United Kingdom in February 2022 and has previously been linked to Russian state-aligned cyber operations and other cybercriminal activity.
Koi’s investigation also uncovered a response message returned when directly querying the malicious server: “He who controls the spice controls the universe,” a reference to the Dune franchise. Similar thematic references have previously been observed in earlier Shai-Hulud-related incidents. Analysis of HTTP headers further revealed that the attacker’s infrastructure was staged as early as December 8, more than two weeks before the malicious update was pushed to users on December 24, indicating a deliberate and well-planned operation.
The disclosure comes shortly after Trust Wallet urged roughly one million Chrome extension users to update to version 2.69, following the discovery that the compromised version 2.68 had been distributed through the Chrome Web Store by unknown threat actors. Wallet-draining activity linked to the malicious update was publicly reported the day after it was released.
In total, investigators determined that funds worth approximately $8.5 million were drained from 2,520 wallet addresses and transferred to at least 17 attacker-controlled wallets.
Trust Wallet said it has begun processing reimbursement claims for affected users, noting that each claim is being reviewed individually. The company added that verification procedures are necessary to distinguish legitimate victims from potential fraudulent claims, which may result in varying processing times.
To prevent similar incidents in the future, Trust Wallet stated that it has implemented additional monitoring and controls across its release pipeline.
The company characterized the incident as part of a broader industry-wide software supply chain attack, explaining that Shai-Hulud campaigns focus on injecting malicious code into commonly used developer tools rather than directly targeting individual organizations.
The disclosure coincides with reports of Shai-Hulud 3.0, a newer iteration of the campaign that features enhanced obfuscation, improved reliability, and greater compatibility with Windows systems. According to researchers at Upwind, the latest version prioritizes campaign longevity and stealth rather than introducing new exploitation techniques.
