A Chrome extension pretending to be a secure Ethereum wallet has been caught secretly stealing user seed phrases using a stealthy blockchain-based method.
Quick Summary – TLDR:
- A Chrome extension named “Safery: Ethereum Wallet” steals seed phrases from users.
- It encodes the stolen data as fake Sui blockchain addresses and sends tiny transactions.
- The extension remains available in the Chrome Web Store, ranking high in search results.
- No command-and-control server is used, making detection harder for traditional systems.
What Happened?
Security researchers have discovered a malicious Chrome extension called “Safery: Ethereum Wallet” that disguises itself as a legitimate Ethereum wallet but covertly siphons users’ seed phrases. The extension employs a clever technique involving the Sui blockchain to smuggle sensitive data without raising alarms.
🚨 SECURITY ALERT: Malicious Chrome Extension Stealing Crypto Assets
— GoPlus Security 🚦 (@GoPlusSecurity) November 14, 2025
A fake Ethereum wallet extension “Safery: Ethereum Wallet” is exfiltrating seed phrases by encoding them into #Sui transactions—a highly sophisticated attack method.
⚠️ Extension Name: Safery: Ethereum Wallet… pic.twitter.com/FIEkkq2pau
The Threat Hidden in Plain Sight
Despite its malicious nature, “Safery: Ethereum Wallet” has been available on the Chrome Web Store since September 29, 2025, and was most recently updated on November 12. As of November 13, it still ranked fourth in search results for “Ethereum Wallet,” just behind well-known names like MetaMask and Enkrypt.
While marketed as a secure Ethereum wallet with flexible settings, the extension secretly contains malware that activates when users create or import a wallet. Once a seed phrase is input, the malware encodes it into synthetic Sui addresses, then sends microtransactions of 0.000001 SUI to these addresses from a wallet controlled by the attacker.
How It Works?
- Users either create a new wallet or import an existing one, triggering the malware.
- The seed phrase is encoded into fake Sui-style wallet addresses.
- The extension initiates a microtransaction to each fake address from a known attacker-controlled Sui wallet.
- These transactions are publicly visible but look ordinary to blockchain monitoring tools.
- The attacker monitors these transactions and decodes the addresses to reconstruct the original seed phrase.
- With the phrase in hand, the attacker can access and drain the victim’s Ethereum assets.
This method avoids using any command-and-control (C2) infrastructure, reducing the likelihood of being caught by traditional security systems.
Red Flags You Shouldn’t Ignore
Several warning signs were present in the extension:
- Zero user reviews on the Chrome Web Store.
- Grammatical errors in the product branding.
- No official website or verified company affiliation.
- Developer email linked to a Gmail account.
These indicators suggest a lack of legitimacy and should raise red flags for users.
What Security Experts Are Saying?
Kirill Boychenko, a researcher at Socket, explained:
Koi Security, in a separate analysis, confirmed the attack method, stating:
Staying Safe in a Risky Environment
Experts strongly advise users to stick with well-reviewed, officially verified wallet extensions. For defenders, it’s important to:
- Scan extensions for mnemonic encoders and synthetic address generators.
- Block any extension that writes to the blockchain during wallet import or creation.
- Monitor browser activity for unexpected blockchain RPC calls.
- Avoid wallets that lack professional branding or use free email services for developer contact.
SQ Magazine Takeaway
Honestly, this is one of the more creative and dangerous wallet scams I’ve seen in a while. What makes it worse is that the extension looks relatively harmless and even ranks high in search. If you’re into crypto, do not install any wallet extension that lacks reviews, a proper website, or comes from a sketchy email. It’s just not worth the risk. Always verify and double-check the source. And if you already installed “Safery,” consider your seed compromised and move your funds immediately.
