Trust Wallet анализирует инцидент с похищением $8,5 млн и усиливает безопасность Headline: Trust Wallet Analyzes $8.5 Million Theft Incident and Strengthens Security

The Trust Wallet team released a report on an incident that took place on December 26. Cybercriminals compromised the browser extension and stole assets totaling $8.5 million.

As per the statement, the breach affected 2,520 addresses. The developers have committed to fully compensating the affected users.

The cause of the hack was a large-scale supply chain attack known as Sha1-Hulud, identified back in November. During that time, hackers gained access to developers’ secrets on GitHub and the Chrome Web Store’s API key.

Using the stolen data, the culprits:

The malicious version was active from December 24 to 26. Upon discovering the issue, the team reverted the extension to a secure version 2.69 and revoked the compromised keys.

The vulnerability impacted only users of the browser extension version 2.68 who accessed their wallets during the specified dates. The Trust Wallet mobile application and other versions of the extension remained secure.

Analysts identified 17 addresses controlled by the hacker, with a total loss of $8.5 million.

“We view this incident not only as a critical lesson for ourselves but also as a turning point for the entire industry regarding supply chain attack issues,” noted Trust Wallet.

The company has already begun assisting hacking victims. To receive compensation, users need to submit a request through the official support form and complete wallet ownership verification.

Trust Wallet emphasized the complexity of the process due to an influx of fraud attempts. Over 5,000 requests have already been received for the 2,520 affected addresses. The team urged users to be patient and wary of phishing attempts, reminding them that official support never asks for seed phrases.

To prevent similar incidents in the future, the project has enhanced security measures, including code dependency audits and credential rotations.

Notably, in 2025, the volume of funds stolen via phishing attacks decreased by 83%, amounting to $83.85 million, according to SlowMist.