China Hacker Group Leaks $7M Crypto Theft Operation Targeting Wallet Supply Chains

A reported wallet supply chain crypto theft story appears to trace back to a real Trust Wallet browser extension compromise, but the strongest public evidence does not confirm a China-linked hacker group or a separate leak event. What is verified is that a malicious Trust Wallet extension release exposed users during a short holiday window, showing how a trusted software update path can turn into a theft channel.

Trust Wallet’s security notice and its later community update show that an unauthorized version 2.68 browser extension was published to the Chrome Web Store on December 24, 2025. The company said only users who opened and logged into that version between December 24 and December 26 were exposed.

That matters because a supply-chain attack hits the software people already trust, instead of tricking them with a fake email or a bad link. In simple terms, it is closer to a tampered bank app update than a classic phishing scam.

What is actually confirmed about the theft operation

Trust Wallet said it identified 2,520 affected wallet addresses and about $8.5 million in impacted assets linked to 17 attacker-controlled addresses. That figure is higher than the roughly $7 million cited in some early reports, which means the final public damage estimate still depends on which source and date are being used.

SlowMist’s incident analysis said the malicious code captured seed phrases, the secret recovery words that control a crypto wallet, after users unlocked the extension. The security firm estimated early losses at about 33 BTC plus roughly $3 million on Ethereum and Layer-2 networks, putting the initial total near $6 million at the time of publication.

SlowMist also said, “We have strong reason to believe this is a professional APT-level attack.” That points to a highly organized operation, but it is not the same as public attribution to a China-linked group, and the available source set does not make that leap.

Trust Wallet linked the publishing path to a leaked Chrome Web Store API key and exposed GitHub developer secrets tied to the November 2025 Sha1-Hulud supply-chain incident. That link is one of the most important verified details because it suggests the compromise may have started upstream, before users ever downloaded the bad extension.

Why wallet supply-chain attacks are different from direct wallet hacks

A direct wallet hack usually targets one user at a time through phishing, malware, or stolen passwords. A wallet supply-chain attack targets the software vendor, update channel, or distribution process, which can put many users at risk at once.

That is why this case has drawn broader concern than a normal theft report. If a bad actor can slip malicious code into an official browser extension listing, even cautious users may not realize anything is wrong until funds are already gone.

The wider crypto industry already has reason to treat this as a major risk area. CertiK’s 2025 Web3 security report said supply-chain attacks were the costliest attack vector of the year, with about $1.45 billion lost across two incidents.

Readers who have followed other infrastructure risks on coinlineup.com have seen the same pattern in different forms, whether through macro stress in Bitcoin recession coverage tied to Moody’s warning or sudden leverage shocks in crypto liquidation events. The common theme is that trust in market plumbing matters as much as price charts.

What this means for wallet providers and regular users

For wallet providers, the incident raises pressure to harden app-store publishing controls, rotate credentials quickly, and isolate developer secrets more aggressively. For users, the practical lesson is simple: updates from trusted brands still need scrutiny when unusual prompts, extension behavior, or login flows appear.

Trust Wallet’s response focused on reimbursement and cleanup. Cointelegraph reported that Changpeng Zhao, better known as CZ and best known as the former CEO of Binance, said Trust Wallet would cover about $7 million in user losses after the Christmas Day exploit, although Trust Wallet’s later accounting put impacted assets closer to $8.5 million.

The market context is still mixed. The research brief included a spot price reading of 0.530464, but no verified 24-hour move, market capitalization, or volume data strong enough to prove a clear trading response, so the bigger market effect appears to be confidence damage rather than an obvious price shock.

That confidence issue matters beyond one wallet brand. As crypto firms expand into new markets, including the broader product and licensing push described in Ripple’s Brazil expansion story, users are being asked to trust more software, more integrations, and more third-party infrastructure.

The narrow takeaway is not that the original headline’s China attribution has been proven. It is that the verified Trust Wallet case shows how damaging a wallet supply-chain compromise can be, and why both wallet companies and everyday holders need to treat browser extensions, updates, and recovery phrases as critical security points.

Disclaimer: This article is for informational purposes only and is not financial advice.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.