A deceptive Google Chrome extension, "Safery: Ethereum Wallet," has been discovered that masquerades as a legitimate cryptocurrency wallet while secretly stealing users' Ethereum seed phrases. The malicious extension employs a novel technique, encoding sensitive wallet information into Sui blockchain transactions to exfiltrate data without relying on traditional command-and-control servers, making it exceptionally difficult to detect.

Key Takeaways

• A fake Chrome extension named "Safery: Ethereum Wallet" is stealing users' Ethereum seed phrases.

• The extension encodes seed phrases into Sui blockchain addresses and broadcasts microtransactions.

• This method bypasses traditional detection methods by hiding data within legitimate-looking blockchain traffic.

• Users are urged to use only trusted wallet extensions and be wary of unexpected blockchain RPC calls.

The Deceptive 'Safery' Extension

The "Safery: Ethereum Wallet" extension was available on the Chrome Web Store, initially uploaded on September 29, 2025, and updated as recently as November 12. It presented itself as a secure and user-friendly wallet for managing Ethereum, promising easy transfers and balance management. However, security researchers from Socket discovered a hidden backdoor within the extension.

How Seed Phrases Are Stolen

When a user creates or imports a wallet using the Safery extension, the malware encodes the BIP-39 mnemonic seed phrase into one or more synthetic Sui blockchain addresses. It then initiates microtransactions, sending a minuscule amount of SUI (0.000001 SUI) from a wallet controlled by the threat actor to these encoded addresses. This clever technique embeds the seed phrase within seemingly normal blockchain transactions.

Bypassing Detection

This method allows threat actors to exfiltrate sensitive data without needing a command-and-control (C2) server. By monitoring the Sui blockchain, the attacker can decode the recipient addresses to reconstruct the original seed phrase. This approach makes the malicious activity nearly invisible to conventional security monitoring tools that typically look for suspicious network traffic or domain connections.

Recommendations for Users and Defenders

To mitigate this threat, users are strongly advised to exclusively use well-established and trusted wallet extensions from verified publishers, such as MetaMask or Phantom. Security professionals recommend monitoring for unusual blockchain RPC calls originating from browsers, especially from extensions that claim to be single-chain. Blocking extensions that exhibit suspicious behavior during wallet import or creation, such as writing to the chain or generating synthetic addresses, is also crucial. Defenders should also be aware that threat actors can easily switch blockchains and RPC endpoints, rendering detections based solely on specific extension IDs or URLs ineffective.

Sources

• Fake Chrome Extension "Safery" Steals Ethereum Wallet Seed Phrases Using Sui Blockchain, The Hacker News.

• Malicious Chrome Extension Grants Full Control Over Ethereum Wallet, GBHackers News.