According to Odaily, between December 24th and 26th, 2025, the Trust Wallet Browser Extension v2.68 was compromised due to a leaked API key, resulting in the uploading of malicious code. This incident affected 2,520 wallet addresses that logged into the extension during this period, leading to the theft of approximately $8.5 million in assets. Investigations indicate that this attack is related to the industry-wide supply chain attack Sha1-Hulud that occurred in November, where attackers gained access to the Chrome Web Store API through leaked GitHub credentials.
Trust Wallet has decided to voluntarily compensate affected users and is currently finalizing the compensation workflow and ownership verification process. They have also begun liaising with victims who have contacted the official team. Trust Wallet advises affected users to immediately transfer their funds to a new wallet and submit a claim through the official form. Over 5,000 claim applications have been received so far, and the team is reviewing each case individually. Furthermore, Trust Wallet has released a fixed version 2.69 and disabled related publishing permissions and credentials.
