Cybersecurity researchers have discovered a malicious Chrome extension that has the ability to steal users’ seed phrases while masquerading as a legitimate Ethereum wallet.
The extension is named “Safery: Ethereum Wallet,” and the attackers describe it as “a secure wallet for managing your Ethereum cryptocurrency with flexible settings.” It was uploaded to the Chrome Web Store on September 29, 2025 and updated on November 12, 2025. It is still available for download as of this writing.
“Although marketed as a simple and secure Ethereum (ETH) wallet, it contains a backdoor that steals the seed phrase by encoding it into a Sui address and broadcasting microtransactions from the Sui wallet controlled by the threat actor,” said socket security researcher Kirill Boychenko.
Specifically, the malware present within the browser add-on is designed to steal the wallet mnemonic phrase by encoding it as a fake Sui wallet address and using microtransactions to send 0.000001 SUI from a hard-coded threat actor-controlled wallet to the wallet.
The malware’s ultimate goal is to smuggle seed phrases into normal-looking blockchain transactions without setting up a command-and-control (C2) server to receive the information. Once the transaction is complete, threat actors can decode the recipient’s address to reconstruct the original seed phrase and ultimately exfiltrate the assets from there.
“The extension steals the wallet seed phrase by encoding it as a fake Sui address and sending microtransactions from an attacker-controlled wallet, allowing the attacker to monitor the blockchain, decode the address back to the seed phrase, and exfiltrate the victim’s funds,” Koi Security noted in its analysis.
To counter the risks posed by this threat, users are advised to use trusted wallet extensions. Defenders are encouraged to scan for mnemonic encoders, synthetic address generators, and hard-coded seed phrase extensions and block them from writing to the chain during wallet import or creation.
“Using this technique, attackers can switch chains and RPC endpoints with little effort, so detections that rely on domains, URLs, or specific extension IDs are missed,” Boichenko said. “Treat unexpected blockchain RPC calls from browsers as a high signal, especially if your product claims to be single-chain.”
Source link
