Trust Wallet сообщает об устранении последствий взлома на $8,5 млн и усиливает безопасность Translation: Trust Wallet reports on the aftermath of the $8.5 million hack and enhances security measures.

The Trust Wallet team has published a report regarding an incident that occurred on December 26. Attackers compromised the browser extension and siphoned off assets totaling $8.5 million.

According to their statement, the attack affected 2,520 addresses. The developers have pledged to fully compensate the losses incurred by the victims.

The breach was attributed to a large-scale attack on the Sha1-Hulud supply chain, which was noted in November. At that time, hackers gained access to the developers’ secrets on GitHub and the API key for the Chrome Web Store.

Using the stolen information, the attackers managed to execute their scheme. A malicious version of the extension was active between December 24 and 26. Once the issue was detected, the team reverted the extension to a secure version 2.69 and revoked the compromised keys.

The vulnerability specifically impacted users of the 2.68 version of the desktop extension who accessed their wallets during the specified dates. The Trust Wallet mobile application and other versions of the extension remained secure.

Analysts identified 17 addresses controlled by the hacker, with total damages amounting to $8.5 million.

«We view this incident not only as a critical lesson for us but also as a watershed moment for the entire industry concerning supply chain attack issues,» stated the Trust Wallet team.

The company has already begun working with the victims of the hack. To receive compensation, users need to submit a claim through the official support form and undergo verification of wallet ownership.

Trust Wallet has emphasized the complexity of the process due to a surge in fraudulent claims. Over 5,000 applications have already been submitted for the 2,520 affected addresses. The team has urged users to be patient and to beware of phishing attempts: official support will never request seed phrases.

To prevent similar incidents in the future, the project has strengthened its security protocols, including code dependency audits and credential rotation.

It is worth noting that in 2025, the amount stolen through phishing attacks decreased by 83%, totaling $83.85 million, according to SlowMist.