Trust Wallet Chrome Extension Hack Results in $8.5 Million Loss and Delayed Reimbursement Process
On December 25, a malicious version 2.68 of the Trust Wallet Chrome extension was distributed through the Chrome Web Store outside the normal release process. This version enabled attackers to access wallet data and authorize unauthorized transfers, draining approximately 2,520 wallet addresses linked to about $8.5 million in assets across 17 attacker accounts.
The attack was linked to a Sha1-Hulud supply-chain breach, where compromised tooling and a leaked Chrome Web Store API key allowed attackers to upload the malicious extension without triggering internal approvals. The malware had the capability to extract recovery phrases from wallets; importing a seed phrase then triggered funds outflows across multiple blockchains.
In response, Trust Wallet rolled back to a clean release version 2.69, disabled the compromised publishing credentials, and launched a voluntary reimbursement scheme for affected users. A formal claims process was opened on December 29, requiring applicants to provide wallet addresses, transaction hashes, and identifying information. While more than 5,000 claims have been received, the number of verified affected wallets remains much lower, raising concerns about duplicate or fake claims.
A recent Chrome Web Store outage temporarily removed the extension, delaying the rollout of a crucial verification feature designed to help claimants confirm ownership of wallets. Google has stated it is escalating the issue and warned users to be cautious of fake or impersonated extensions in the interim.
