Trust Wallet users had $8.5 million in crypto assets stolen in a cyberattack linked to the second wave of the Shai-Hulud npm supply chain attack.
In a lengthy analysis of the attack, Trust Wallet said attackers used the Shai-Hulud attack to access Trust Wallet’s browser extension source code and Chrome Web Store API key. “Using that access, they were able to prepare a tampered version of the extension with a backdoor designed to collect users’ sensitive wallet data [and] releasing the malicious version to the Chrome Web Store using the leaked (CWS) API key,” the crypto wallet company said.
So far Trust Wallet has identified 2,520 wallet addresses affected by the incident and drained by the attackers, totaling approximately $8.5 million in assets. The company said it “has decided to voluntarily reimburse the affected users.”
News of the successful attack comes amid reports that threat actors are actively preparing for a third wave of Shai-Hulud attacks.
Trust Wallet Shai-Hulud Attack Detailed
Trust Wallet said “an unauthorized and malicious version” of its Browser Extension (version 2.68) was published to the Chrome Web Store on December 24, “outside of our standard release process (without mandatory review). This version contained malicious code that, when loaded, allowed the attacker to access sensitive wallet data and execute transactions without authorization.”
The $8.5 million in assets were associated with 17 wallet addresses controlled by the attacker, but Trust Wallet said the attacker addresses “also drained wallet addresses NOT associated with Trust Wallet and this incident. We are actively tracking other wallet addresses that may have been impacted and will release updated numbers once we have confirmation.”
The incident affects only Trust Wallet Browser Extension version 2.68 users who opened the extension and logged in during the affected period of December 24-26. It does not affect mobile app users, users of other Browser Extension versions, or Browser Extension v2.68 users who opened and logged in after December 26 at 11:00 UTC.
“If you have received an app push via the Trust Wallet mobile app or you see a security incident banner on your Trust Wallet Browser Extension, you may still be using the compromised wallets,” the company said.
Browser Extension v2.68 users who logged into their wallets during the affected period were advised to transfer their funds from any at-risk wallets to a newly created wallet following the company’s instructions and to submit reimbursement claims at https://be-support.trustwallet.com.
White Hat Researchers Limited Damage with DDoS Attacks
The dramatic Trust Wallet attack was met by an equally dramatic response from white hat security researchers, who launched DDoS attacks on the attacker to limit damage, as detailed in the company’s update.
Trust Wallet’s Developer GitHub secrets were exposed in the November second-wave attack, which gave the attacker access to the browser extension source code and the API key, allowing builds to be uploaded directly without Trust Wallet’s internal approval and manual review.
The attacker registered the domain metrics-trustwallet.com “with the intention of hosting malicious code and embedding a reference to that code in their malicious deployment of the Trust Wallet Browser Extension,” the company said.
The attacker prepared and uploaded a tampered version of the browser extension using the codebase of an earlier version that they had accessed through the exposed developer GitHub secrets. The attacker published version 2.68 on the Chrome Web Store for review using the leaked CWS key, “and the malicious version was released automatically upon passing Chrome Web Store review approval,” Trust Wallet said.
On December 25, the first wallet-draining activity was publicly reported, when 0xAkinator and ZachXBT flagged the issues and identified the attacker’s wallet addresses, and partner Hashdit and internal systems “notified us with multiple suspicious alerts.”
“White-hat researchers initiated DDoS attacks in an attempt to temporarily disable the attacker’s malicious domain, api.metrics-trustwallet.com, helping to minimize further victims,” Trust Wallet said.
The company rolled back to a verified clean version (2.67, released as 2.69) and issued urgent upgrade instructions.