A supply chain attack exploits trust rather than breaking cryptography directly. Instead of attacking a wallet or exchange head-on, an attacker compromises an upstream component, such as a code library, build tool, browser extension, or device firmware, that many downstream products quietly depend on. Because developers rarely audit every dependency they pull in, a single poisoned package can reach millions of installations before anyone notices.
The classic case is the 2018 event-stream incident, in which a new maintainer of a popular Node.js library added a hidden dependency that silently monitored the Copay Bitcoin wallet and, once a large balance was detected, exfiltrated the user's private keys. That pattern, a trusted open source package repurposed as a delivery mechanism, has repeated many times since. 2026 alone saw several large npm campaigns that hijacked maintainer accounts to plant wallet-draining code inside AI-agent frameworks and developer tooling, scanning installed browser extensions and rewriting transaction destinations mid-flight.
Hardware is not immune. Counterfeit or intercepted devices have been found with tampered firmware, pre-generated seed phrases, or hidden components that leak the seed during setup, meaning a wallet can look completely genuine while it was compromised before it ever reached the buyer.
Because these attacks hide inside legitimate-looking software or hardware, defenses rely on process rather than after-the-fact detection: pinning dependency versions, buying devices only from official channels, verifying firmware signatures, and running independent security audits of critical code before it ships.