--- title: "Malicious Chrome Extension Steals Ethereum Wallets" date: 2025-11-14 author: "Sofia Ramirez" featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2025/11/fake-ethereum-walllet-on-chrome-web-store-exposed.jpg" categories: - name: "Cybersecurity" url: "/cybersecurity.md" tags: - name: "News" url: "/tag/news.md" --- # Malicious Chrome Extension Steals Ethereum Wallets A Chrome extension pretending to be a secure Ethereum wallet has been caught secretly stealing user seed phrases using a stealthy blockchain-based method. ## Quick Summary – TLDR: - A Chrome extension named “Safery: Ethereum Wallet” steals seed phrases from users. - It encodes the stolen data as fake Sui blockchain addresses and sends tiny transactions. - The extension remains available in the Chrome Web Store, ranking high in search results. - No command-and-control server is used, making detection harder for traditional systems. ## What Happened? Security researchers have discovered a malicious Chrome extension called **“Safery: Ethereum Wallet”** that disguises itself as a legitimate Ethereum wallet but covertly siphons users’ seed phrases. The extension employs a clever technique involving the **Sui blockchain** to smuggle sensitive data without raising alarms. > 🚨 SECURITY ALERT: Malicious Chrome Extension Stealing Crypto Assets > > A fake Ethereum wallet extension “Safery: Ethereum Wallet” is exfiltrating seed phrases by encoding them into [\#Sui](https://twitter.com/hashtag/Sui?src=hash&ref_src=twsrc%5Etfw) transactions—a highly sophisticated attack method. > > ⚠️ Extension Name: Safery: Ethereum Wallet… [pic.twitter.com/FIEkkq2pau](https://t.co/FIEkkq2pau) > > — GoPlus Security 🚦 (@GoPlusSecurity) [November 14, 2025](https://twitter.com/GoPlusSecurity/status/1989181176653967417?ref_src=twsrc%5Etfw) ## The Threat Hidden in Plain Sight Despite its malicious nature, “Safery: Ethereum Wallet” has been available on the **Chrome Web Store since September 29, 2025**, and was most recently updated on **November 12**. As of November 13, it still ranked **fourth** in search results for “Ethereum Wallet,” just behind well-known names like [MetaMask](https://sqmagazine.co.uk/metamask-wallet-statistics/) and Enkrypt. While marketed as a **secure [Ethereum](https://sqmagazine.co.uk/ethereum-statistics/) wallet with flexible settings**, the extension secretly contains **malware** that activates when users create or import a wallet. Once a seed phrase is input, the malware encodes it into **synthetic Sui addresses**, then sends microtransactions of **0.000001 SUI** to these addresses from a wallet controlled by the attacker. ## How It Works? - Users either **create a new wallet** or **import an existing one**, triggering the malware. - The **seed phrase** is encoded into fake **Sui-style wallet addresses**. - The extension initiates a **microtransaction** to each fake address from a known attacker-controlled Sui wallet. - These transactions are publicly visible but look ordinary to blockchain monitoring tools. - The attacker monitors these transactions and **decodes the addresses** to reconstruct the original seed phrase. - With the phrase in hand, the **attacker can access and drain the victim’s Ethereum assets**. This method **avoids using any command-and-control (C2) infrastructure**, reducing the likelihood of being caught by traditional security systems. ## Red Flags You Shouldn’t Ignore Several warning signs were present in the extension: - **Zero user reviews** on the Chrome Web Store. - **Grammatical errors** in the product branding. - **No official website** or verified company affiliation. - **Developer email linked to a [Gmail](https://sqmagazine.co.uk/gmail-statistics/) account**. These indicators suggest a lack of legitimacy and should raise red flags for users. ## What Security Experts Are Saying? Kirill Boychenko, a researcher at Socket, explained: “ This technique lets threat actors switch chains and RPC endpoints with little effort, so detections that rely on domains, URLs, or specific extension IDs will miss it. Treat unexpected blockchain RPC calls from the browser as high signal, especially when the product claims to be single chain. Kirill BoychenkoResearcher – Socket Koi Security, in a separate analysis, confirmed the attack method, stating: “ This extension steals wallet seed phrases by encoding them as fake Sui addresses and sending micro-transactions to them from an attacker-controlled wallet. Koi Security ## Staying Safe in a Risky Environment Experts strongly advise users to stick with **well-reviewed, officially verified wallet extensions**. For defenders, it’s important to: - Scan extensions for **mnemonic encoders** and **synthetic address generators**. - Block any extension that **writes to the [blockchain](https://sqmagazine.co.uk/blockchain-statistics/) during wallet import or creation**. - Monitor browser activity for **unexpected blockchain RPC calls**. - Avoid wallets that lack professional branding or use free email services for developer contact. ## SQ Magazine’s Takeaway Honestly, this is one of the more creative and dangerous wallet scams I’ve seen in a while. What makes it worse is that the extension looks relatively harmless and even ranks high in search. If you’re into crypto, **do not install any wallet extension that lacks reviews, a proper website, or comes from a sketchy email**. It’s just not worth the risk. Always verify and double-check the source. And if you already installed “Safery,” consider your seed compromised and **move your funds immediately**.