Supply‑chain breach of Trust Wallet Chrome extension led to $8.5M theft

Trust Wallet says a Shai‑Hulud supply‑chain outbreak in November 2025 likely enabled attackers to compromise its Google Chrome extension and steal about $8.5 million in crypto assets. The company reported that leaked developer GitHub secrets exposed its extension source code and the Chrome Web Store API key.

With that key the attacker uploaded builds directly, bypassing Trust Wallet's normal release approvals. Attackers registered the domain metrics‑trustwallet[.]com and pushed a trojanized extension that sent users' wallet mnemonic phrases to api.metrics‑trustwallet[.]com, according to the post‑mortem and analysis by security firm Koi.

Koi researchers Oren Yomtov and Yuval Ronen said the malicious code runs on every unlock, not just during seed import, and loops through every wallet in an account. Seed phrases were hidden in an errorMessage field inside unlock telemetry and exfiltrated regardless of whether users protected the extension with a password or biometrics.

The domain resolves to 138.124.70.40, hosted by Stark Industries Solutions, a bulletproof hosting provider the report links to prior state‑sponsored and criminal activity. Querying the server returned the message "He who controls the spice controls the universe," and headers indicate the infrastructure was staged by December 8, weeks before the malicious update was pushed on December 24, 2025.

Key Topics

Crypto, Trust Wallet, Shai-hulud, Chrome Web Store, Metrics-trustwallet, Stark Industries Solutions