Cryptocurrency wallet service Trust Wallet said a compromised version of its browser extension was used to steal about $8.5 million in cryptocurrency from user wallets. The company said the incident was connected to a broader software supply chain attack known as Sha1-Hulud.
According to Trust Wallet, the incident occurred in late 2025 after a malicious build of its browser extension was uploaded to the Chrome Web Store. The altered extension was published using leaked developer credentials, which allowed the attacker to bypass standard security checks and distribute the compromised version to users.
The company said the attacker embedded external malicious code into the extension. Once installed or updated, the compromised extension was able to access sensitive wallet information and initiate unauthorised transactions. Trust Wallet said this resulted in cryptocurrency being drained from affected wallets without user approval.
Trust Wallet said it identified more than 2,500 wallet addresses that were impacted by the theft. The stolen funds were traced to an activity that occurred shortly after users installed or updated to the malicious extension version.
The company linked the compromise to the Sha1-Hulud incident, a supply chain attack that involved the exposure of developer secrets and the misuse of legitimate software publishing tools. Trust Wallet said the leaked credentials were used to sign and upload the malicious extension, making it appear legitimate to users and browser security systems.
After identifying the issue, Trust Wallet said it revoked the compromised credentials and removed the malicious extension version. The company rolled back the extension to a secure release and said it worked with platform providers to prevent further unauthorised updates.
Trust Wallet advised users to ensure they are running the latest version of the extension and said it is reviewing its internal processes to reduce the risk of similar incidents. The company said it continues to investigate the impact of the compromise and to monitor for related malicious activity.
The incident highlights the risks posed by supply chain attacks, where attackers target development and distribution systems rather than end users directly. Trust Wallet said the theft did not involve a flaw in its core wallet software but resulted from unauthorised changes made during the extension publishing process.