A well-known wallet browser plugin was targeted by a supply chain attack, affecting 2,520 addresses and resulting in $8.5 million in losses.

2025-12-30 15:54:12

[ChainWen] Another serious incident—A well-known wallet’s browser extension was compromised with malicious code in the Chrome Web Store. Version 2.68 bypassed internal review and was directly published, resulting in transactions being executed and wallet data being stolen without user awareness.

The numbers are clear: 2,520 wallets affected, with total losses reaching up to $8.5 million.

Even more concerning is that this is not an isolated incident. Investigations point to the November Sha1-Hulud industry-level supply chain attack—seems hackers are targeting the entire ecosystem.

The good news is that the wallet team responded quickly, rolling back the extension to the safe version 2.69, and has also initiated compensation procedures for affected users.

This incident serves as a wake-up call for the entire industry: supply chain security is increasingly becoming a hacker’s entry point. Don’t just think about browser extensions—any link in the code repository to app store can be a vulnerability that triggers large-scale risks. Users need to be more vigilant—regularly check extension versions, exercise caution when granting permissions, and implement multi-signature management. In this era of unpredictable threats, we must secure our bottom line.

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

10 Likes

Reward
10
4
Repost
Share

Comment

0/400

PensionDestroyer

· 12-30 16:23

Here we go again, the line of defense at the Chrome Web Store can't hold anymore, right? I told you, the supply chain is the real Achilles' heel.

View OriginalReply0

DegenWhisperer

· 12-30 16:12

8.5 million dollars lost, this is the real supply chain nightmare --- Can't even defend the Chrome Web Store barrier anymore? Who still dares to install plugins --- Again with supply chain issues and hackers, is Web3 really that unsafe --- 2520 addresses, I just want to know if mine is among them --- Revert to 2.69 and it's over? What about the victims' funds --- From warehouse to app store, it's all riddled with holes, the ecosystem is completely rotten --- Sha1-Hulud hasn't recovered from that wave, and now there's another round? Hackers are really targeting systematically --- Quick reactions are useless, no funds left and no compensation... just wait, getting half back would be good --- That's why I still use a hardware wallet, don't mess with these plugin trash --- 8.5 million USD, judging by this loss rate, the entire ecosystem might be裂开

View OriginalReply0

FlashLoanPhantom

· 12-30 16:07

$8.5 million just disappeared like that, it really hurts to hear --- Supply chain has truly become a honey pot. What's the latest with the Chrome Web Store mess this time? --- 2520 wallets got compromised at once? I just want to know if those compensations will really be delivered --- I've been saying for a long time not to put all your eggs in plugins. Now look at this --- How did version v2.68 bypass review? The review process in the Chrome Store is a joke --- Hackers' tastes are getting more sophisticated, directly targeting critical points like the supply chain --- The compensation program has been launched, but who believes it? How will this account be settled? --- It's the aftermath of Sha1-Hulud again. This wave of attacks is truly a coordinated effort --- Plugins are inherently risky. I haven't been able to install these things for a long time --- $8.5 million is neither big nor small, but this lesson is definitely hardcore

View OriginalReply0

WalletInspector

· 12-30 16:04

8.5 million dollars just gone like that. The review process in the Chrome Web Store is useless. Oh my God.

View OriginalReply0