$8.5 Million Shai Hulud Trust Wallet Crypto Hack

Sometimes, even when the dust settles after an earthquake, the aftershocks keep on coming. The ground shaker in this case was September 2025’s self-replicating ShaiHulud worm that infected npm repositories, and the latest echo linked to it is an $8.5 million Trust Wallet crypto hack that drained around 2500 wallets.

Trust Wallet had approximately 17 million active monthly users in 2025, so this attack only emptied a tiny fraction of them; however, it’s the size of the signal this sends that matters. The fact that hackers managed to slip version 2.68 of Trust Wallet’s Chrome Browser Extension into the Chrome Web Store makes everyone feel vulnerable, so, how did it happen, and how do you stay safe against what’s coming next?

How the attack unfolded

To recap, Shai Hulud is a sophisticated campaign that infected npm (Node.js Package Manager) packages and repositories. This supply chain malware was designed to harvest developer secrets, including tokens and credentials, from machines that ran infected code during development and publishing workflows. If their software called on JavaScript components from an infected npm node, they became infected.

Developers’ secrets are exposed

During the ongoing ShaiHulud activity, attackers managed to sweep up sensitive information from development systems, including GitHub secrets and Chrome Web Store API keys, for the Trust Wallet project. These credentials gave them direct publishing access to the Chrome Web Store, allowing them to upload modified “official” extension builds as if they were authorized maintainers—no phishing required, no infrastructure breach needed.

The malicious extension update

On December 24, 2025, a new version of the Trust Wallet Chrome extension, v2.68, showed up in the Chrome Web Store. It looked legitimate to users and to basic automated checks, but its code was trojanized with a hidden backdoor: logic that would silently capture wallet recovery data and send it to attacker-controlled servers at a trustworthy-looking domain like metricstrustwallet.com.

Users install the compromised version

Many users installed or updated the Trust Wallet browser extension (v2.68) via the Chrome Web Store between December 24 and 26, 2025. Because the extension operated directly in users’ browsers and could access wallet keys once users unlocked it, the malicious code automatically extracted each wallet’s seed phrase as soon as it was accessed. So, there was no phishing link, suspicious prompt, or obvious sign of danger to suggest they should proceed with caution.

Secrets are collected and wallets drained

Seed phrases (also called recovery phrases or mnemonic phrases) are the master key to a crypto wallet. In simple terms, a seed phrase is a list of 12, 18, or 24 words (for example: apple, river, glass, moon…) and it fully controls a wallet. Anyone who has the seed phrase can recreate the wallet on any device, access all funds, sign transactions, or drain the wallet completely.

There is no password reset in crypto – the seed phrase is the wallet.

Within hours of the backdoor compromise, attackers had harvested users’ seed phrases and recreated their wallets elsewhere as if they were the legitimate owners, and $8.5 million soon went missing.

The theft is detected and publicized

By December 25-26, users began noticing unauthorized transfers, and Trust Wallet’s team investigated, confirming the malicious extension release. They removed the compromised version, revoked the leaked API keys, and pushed out a clean patched release (v2.69) to stop further theft.

Damage control and user response

Trust Wallet publicly linked the incident to the broader Shai Hulud supply chain attack, warning that it wasn’t an isolated flaw, but part of a systemic problem seeded in developer tooling. The company set up a claims process to reimburse affected users, although this may take time due to the need to verify genuine loss vs. fraud.

What made this attack especially severe

Unlike most crypto hacks, this wasn’t a phishing trick or a smart contract exploit. No user had to click anything suspicious or approve a fraudulent transaction. It succeeded because the attackers subverted trusted software infrastructure:

• Developer credentials were stolen via a supply chain exploit
• Malicious code was included in a seemingly official update
• Seed phrases, the literal keys to users’ wallets, were silently captured
• Funds were drained automatically without any unusual prompts or alerts

Defending against future attacks

In the Trust Wallet case, the core problem wasn’t that users behaved recklessly; it was that trusted software began behaving maliciously after distribution. Once the compromised extension was live, the attack unfolded entirely in users’ browsers, outside the reach of server-side logs, firewalls, or conventional monitoring. This is precisely where Reflectiz adds value for businesses: by providing continuous runtime visibility into client-side behavior, including unexpected network calls, suspicious third-party execution, and abnormal access to sensitive data. That kind of visibility can dramatically shorten the time between compromise and detection.

Early detection

While Reflectiz would not have stopped attackers from stealing credentials or publishing a poisoned update, it could have helped the wallet provider identify that something was wrong far earlier and contained the attack faster. Earlier detection means earlier user warnings, quicker disabling of affected components, and fewer users unknowingly exposing seed phrases. In supply-chain attacks, reducing “time to detection” is often the single most effective way to reduce downstream harm.

For example, if Reflectiz had been monitoring the Trust Wallet extension in production, it would have immediately flagged the unauthorized API calls to metricstrustwallet.com the moment the first user executed v2.68—before thousands of wallets were compromised. That kind of real-time alerting turns a multi-day breach into a multi-hour incident.

It’s about more than crypto

Most businesses will never ship a crypto wallet via a Chrome Web Store extension, but they still rely heavily on browser extensions in their digital ecosystem — analytics tools, customer support widgets, marketing plugins, productivity add-ons, internal tools, and partner-developed extensions. From a risk perspective, these extensions run with elevated privileges, execute client-side code, and often have access to sensitive data, making them an increasingly attractive target for supply-chain attacks.

So, don’t think of The Trust Wallet incident as “a crypto problem” so much as a browser extension distribution problem. The same mechanics apply whether the extension handles seed phrases, authentication tokens, PII, or session data. Once a trusted extension is compromised and pushed through an official store, the malicious behavior occurs entirely in the user’s browser — outside traditional perimeter controls and invisible to server-side monitoring.

Reflectiz covers the browser

This is where Reflectiz becomes relevant for all businesses. It can monitor the actual runtime behavior of browser-delivered assets, including extensions and embedded third-party scripts. It can surface unexpected network destinations, anomalous data access, or changes in execution patterns. This allows businesses to detect when a previously trusted browser component begins behaving in ways that don’t align with its intended function, even if it was “legitimately” installed and approved.

So, you don’t need to be a crypto company to face headline-grabbing supply-chain risks. Any business that distributes or depends on browser-side code inherits the same exposure and the same need for continuous, client-side visibility once that code is in production.

Organizations looking to gain visibility into their client-side attack surface can explore how Reflectiz monitors browser-based code behavior in real-time – whether that’s extensions, third-party scripts, or any other code executing in users’ browsers.