Back to Blog

#7 Trust Wallet Incident: A Stolen API Key Turns the Official Update Channel into a Backdoor

Code Auditing
February 12, 2026

On December 25, 2025, Trust Wallet suffered a critical security breach in its Chrome extension (v2.68), resulting in the theft of approximately $8.5 million in user funds.

The root cause was a malicious backdoor injected into the extension, originating from a supply chain attack that compromised the project’s standard release process. The injected backdoor method uploads user seed phrases to an attacker-controlled server, compromising any wallets generated or imported using this specific version of the extension. The attacker subsequently drained user funds on multiple chains and routed them to non-KYC exchanges.

Background

Trust Wallet‘s Chrome extension is designed as a typical self-custody wallet, allowing users to create or import existing wallets. At the heart of any cryptocurrency wallet is the seed phrase, also known as a mnemonic. It is a human-readable representation of the wallet's private key. This seed phrase can deterministically derive all private keys associated with the wallet, making it the most critical secret a user possesses. Anyone with access to a seed phrase gains complete control over all wallet funds.

To ensure seed phrases are safely self-custodied, Trust Wallet’s extension stores them locally in encrypted form using cryptography algorithms. They can only be decrypted upon a legitimate user request with proper authentication. This process requires users to authenticate with their biometric or password, depending on the method they configure. In a properly functioning self-custody wallet, decrypted seed phrases are used exclusively within the local extension environment and are never transmitted to external servers.

Vulnerability Analysis

The vulnerability originates from the wallet unlock flow, specifically via both biometric and password means. Upon an unlock operation, seed phrases are collected as analytics data and sent to an attacker-controlled domain masquerading as a legitimate endpoint. Since the exploit mechanism is identical for the two means, we will take the biometric pathway as an example to illustrate the vulnerability.

The following analysis and screenshots are based on the de-obfuscated source code.

Retrieval of decrypted seed phrases

The malicious code was injected into the unlock function in file 8423.js, which handles wallet unlocking and seed phrase decryption following user authentication. In the unlock logic, the attacker embedded a seemingly benign analytics collection mechanism. As highlighted in the following code snippet, the retrieval of seed phrases was placed immediately after the normal authentication flow. It traverses all wallets, extracting decrypted seed phrases and storing them in a deceptively named variable errorMessage . This data is then embedded within an error property in analytics event objects.

The same malicious pattern appears in the password unlock flow (lines 485-527), replacing biometric authentication with password-based decryption.

Transmission of sensitive data

Once the seed phrases were collected and packaged as analytics data, they were routed through a PostHog analytics infrastructure. The infrastructure was deliberately introduced by the attacker in v2.68 for data transmission. Through this pathway, analytics data containing seed phrases is sent to an analytics service wrapper, which invokes PostHog's capture() method to generate event objects. The events are queued and batched together, then serialized into JSON format. The JSON payload is compressed and transmitted via HTTP POST request to the attacker's server.

The file 4482.js reveals a PostHog configuration that routes analytics data to api.metrics-trustwallet.com. This domain was specifically registered by the attacker to mimic a legitimate Trust Wallet analytics endpoint.

Testing with extension v2.68, we captured and analyzed a suspicious request triggered during wallet unlock operations. The request sends GZIP-compressed data to the attacker-controlled endpoint, which can be decompressed to extract the seed phrases in plaintext.

Attack Analysis

The attack process spanned approximately one month from initial preparation to the final exploit, unfolding across three stages:

  1. Compromise the Chrome Web Store (CWS) API key

  2. Deploy the extension containing malicious code

  3. Steal funds from compromised user wallets

Stage 1: Compromise the CWS API key

The story started from a widespread supply chain attack in November, known as “Shai-Hulud 2.0” [2]. This campaign targeted developer environments through NPM (Node Package Manager), backdooring numerous legitimate NPM packages. When developers installed these compromised packages, malicious code executed on their systems to steal sensitive credentials and authentication tokens.

Through this supply chain attack, the attacker obtained Trust Wallet’s Chrome Web Store (CWS) API key. This key is particularly critical because it enabled direct uploading of extension builds to the Chrome Web Store, completely circumventing Trust Wallet's internal approvals and reviews under standard release process.

Stage 2: Release the extension with malicious code

On December 2025, with the stolen CWS API key in hand, the attacker implemented their attack infrastructure:

  1. Register the malicious domain metrics-trustwallet.com (and subdomain api.metrics-trustwallet.com) to host the data collection endpoint.

  2. Inject backdoor code into the wallet unlock flows and modified the PostHog analytics configuration to direct data to their server.

  3. Upload the malicious extension directly to the Chrome Web Store using the stolen API key, circumventing the standard release process.

The malicious version 2.68 successfully passed Chrome’s automatic review and was published to the store, appearing as a legitimate update from the official developer account.

Stage 3: Steal funds from compromised user wallets

When users unlocked their wallets using this vulnerable extension, their seed phrases were silently transmitted to api.metrics-trustwallet.com, the attacker-controlled server. With complete access to these seed phrases, the attackers gained full control over victim wallets.

Rather than immediately draining funds—which would have triggered rapid detection—the attackers exercised patience, allowing the victim pool to expand while maintaining stealth.

Starting December 25, the attacker initiated systematic fund extraction from compromised wallets. The operation impacted approximately 2,520 distinct wallet addresses spanning 10 distinct blockchains.

Summary

This breach serves as a stark reminder that security must encompass the entire protocol life cycle, including development and deployment. In 2025, supply chain attacks emerged as the most destructive threat to cryptocurrency infrastructure, with just two incidents (including the $1.5 billion Bybit hack in February) causing significant losses. Beyond smart contract audits, protocols must secure their build pipelines, protect developer credentials, and maintain continuous monitoring to safeguard user assets.

References

  1. Official post-mortem
  2. Shai-Hulud 2.0

About BlockSec

BlockSec is a full-stack blockchain security and crypto compliance provider. We build products and services that help customers to perform code audit (including smart contracts, blockchain and wallets), intercept attacks in real time, analyze incidents, trace illicit funds, and meet AML/CFT obligations, across the full lifecycle of protocols and platforms.

BlockSec has published multiple blockchain security papers in prestigious conferences, reported several zero-day attacks of DeFi applications, blocked multiple hacks to rescue more than 20 million dollars, and secured billions of cryptocurrencies.

Sign up for the latest updates
~$4.1M Lost: Taiko, SecondFi Exploits | BlockSec Weekly
Security Insights

~$4.1M Lost: Taiko, SecondFi Exploits | BlockSec Weekly

This weekly blockchain security report covers two notable incidents from June 22-28, 2026, with approximately $4.1M in confirmed losses across Ethereum and Cardano. The Taiko bridge exploit combined an exposed SGX enclave signing key with an incomplete attestation policy that failed to reject debug enclaves, allowing the attacker to register a malicious prover and forge L2 state proofs on Ethereum. The SecondFi wallet vulnerability stemmed from a cryptographic implementation flaw in Ed25519 nonce derivation that removed the secret input, enabling offline private key recovery from public Cardano transaction data.

~$18M Lost: jaredFromSubway, Aztec & More | BlockSec Weekly
Security Insights

~$18M Lost: jaredFromSubway, Aztec & More | BlockSec Weekly

This weekly blockchain security report covers June 15 to June 21, 2026, with 3 notable incidents across Ethereum and BNB Chain totaling approximately $18.3M in losses. Two incidents are analyzed in detail. Based on on-chain analysis, the highlighted jaredFromSubway incident reveals a reversed approval attack pattern: unlike traditional exploits where attackers abuse vulnerabilities in trusted DeFi contracts to drain user-approved assets, this MEV bot proactively approved its own assets to untrusted third-party contracts for arbitrage. The attacker constructed fake wrapper tokens and swap pools that emitted real events but never consumed the granted allowances, with reported total losses of ~$15M. The report also covers Aztec's second exploit in three days, where a missing equality constraint between two witnesses for `old_data_root` in the escape hatch ZK circuit allowed the attacker to prove ownership of fabricated notes against a fake Merkle tree while passing on-chain root validation.

Web3 Companion: The Open-Source Secure Agentic Wallet

Web3 Companion: The Open-Source Secure Agentic Wallet

BlockSec open-sources Web3 Companion, a security-first agentic wallet that treats its own AI agent as untrusted and uses key isolation, hard policies, and Passkey to protect on-chain assets.

Best Security Auditor for Web3

Validate design, code, and business logic before launch. Aligned with the highest industry security standards.

BlockSec Audit