Overview
Trust Wallet confirmed that a supply-chain attack via a compromised Chrome extension update resulted in losses of approximately $8.5βmillion. A leaked Google Chrome Web Store API key allowed attackers to upload a malicious version of the Trust Wallet browser extension directly to the official Web Store, bypassing code review and security checks.
Attack Details
- Attack period: December 24βββ26, 2025
- Extension version: 2.68
- Victim count: 2,520 wallet addresses
- Method: Malicious code disguised as analytics traffic to a fake domain metrics-trustwallet[.]com
Technical Analysis
Supply-chain attack category: Key compromise. Unlike typical smart contract exploits, this incident targeted the distribution mechanism. Private credentials used to publish the extension were exposed, enabling injection of exfiltration code into the release pipeline. No on-chain vulnerability was exploited; end users were targeted via trusted infrastructure.
Response Measures
- Revoked compromised API credentials immediately.
- Rolled back to secure extension version 2.69.
- Implemented enhanced release-key management and multi-factor authentication on deployment systems.
- Offered reimbursement to all eligible victims, covering full losses.
Industry Implications
Critical infrastructure elements such as distribution keys represent a single point of failure. Extension-based wallets should adopt rigorous credential rotation, monitoring of publisher accounts, and out-of-band code signing to mitigate similar risks. Security teams must consider supply-chain vectors with the same priority as smart contract audits.
User Recommendations
Users who installed version 2.68 must assume compromise, move funds to new wallets generated on a secure device, and regenerate seed phrases. Verification of extension version and update to v2.69 or higher is mandatory. Claims for reimbursement should be submitted via official Trust Wallet support channels.
Comments (0)