Trust Wallet notified thousands of users Jan. 3 to abandon compromised wallets after a supply-chain attack on its browser extension stole between $7 million and $8.5 million in cryptocurrency over Christmas 2025.
Attackers published a malicious version of Trust Wallet’s Chrome browser extension (v2.68) to the Chrome Web Store on Dec. 24, 2025. The code exposed seed phrases, enabling unauthorized transactions. The compromised version stayed live until Dec. 26, according to the company’s official update.
Trust Wallet linked the breach to the “Shai-Hulud” supply-chain campaign, which compromised developer credentials in November 2025. Attackers used a leaked Chrome Web Store API key to bypass normal review processes and distribute the tainted update, the company reported.
The attack affected about 2,596 wallets directly drained, though up to 36,000 wallets — just 0.016% of Trust Wallet’s user base — may have been exposed. Losses totaled an estimated $8.5 million, security researchers said.
Trust Wallet began notifying affected users through in-app banners, mobile push notifications and pop-ups. The company urged victims to create new wallets and transfer remaining funds immediately while abandoning old ones.
In a Jan. 3 post on X, Trust Wallet stated: “If you have been notified, please abandon the old compromised wallet, create a new wallet and move your funds immediately to ensure your assets remain safe. … If you have not received a notification, you are not affected and no action is required.”
Many users expressed frustration in replies, questioning reimbursement delays more than a week after the incident. One wrote, “When do we get the reimbursement? It’s been now more than a week. Still no funds.”
Trust Wallet pledged full compensation for verified losses through Binance’s Secure Asset Fund for Users (SAFU). The company is reviewing claims individually and communicating updates via email.
This marks the second supply-chain attack on Trust Wallet in recent months, underscoring persistent vulnerabilities in browser-based crypto tools. Industry reports noted a rise in such exploits in 2025, often targeting extensions and developer infrastructure.
The incident serves as a reminder for users to verify updates, avoid importing seeds into potentially compromised tools and consider hardware wallets for larger holdings. Trust Wallet released version 2.71 with improved verification, but experts warn that supply-chain risks will likely persist as cryptocurrency adoption grows.
Reimbursements remain ongoing, and the company’s handling of the crisis could influence user trust in non-custodial wallets. Future developments may include stronger publishing safeguards across web stores and increased scrutiny of third-party dependencies in crypto software.
Join our Telegram Channel