A major security breach involving the Trust Wallet Chrome browser extension has resulted in approximately $7 million in losses and placed the Shiba Inu (SHIB) community on high alert. The incident, which occurred on December 24, involved a compromised version (2.68) of the extension that was uploaded to the official Chrome Web Store.
The attack was executed using a leaked Chrome Web Store API key, allowing malicious code to be hidden inside a modified analytics library. When users unlocked their wallets, this code secretly extracted their seed phrases and sent them to an attacker-controlled server. The malicious domain was registered on December 8, indicating the attack was planned at least two weeks in advance.
Trust Wallet CEO Eowyn Chen revealed that the company has identified 2,596 affected wallet addresses. However, the firm has received nearly 5,000 reimbursement claims, highlighting a significant wave of fraudulent submissions. This discrepancy has forced the company to prioritize accuracy over speed in the compensation process. Binance co-founder Changpeng Zhao, whose company owns Trust Wallet, has committed to covering all verified losses, stating "user funds are SAFU."
The breach has drawn particular attention within the Shiba Inu ecosystem due to its large holder base and the widespread use of browser wallets among SHIB investors. Warnings circulated quickly, with community accounts urging users to disable version 2.68 and update to the patched version 2.69. The incident revived memories of a previous September 2025 exploit on the Shibarium bridge that resulted in $4.1 million in losses.
Industry figures, including Zhao and SlowMist co-founder Yu Xian, have raised concerns about potential insider involvement, citing the attacker's detailed knowledge of the extension's source code. The stolen funds, which included Bitcoin, Ethereum, and Solana, were tracked moving through exchanges like ChangeNOW, FixedFloat, and KuCoin, complicating recovery efforts.
Trust Wallet has taken steps to contain the breach, including expiring all release APIs and having the malicious domain suspended. The company has also issued urgent warnings about secondary scams, with fake compensation forms appearing on Telegram and impersonated support accounts attempting to steal private keys.
