Safery: Ethereum Wallet Chrome Extension
Cybersecurity researchers have identified a dangerous Chrome extension masquerading as a legitimate Ethereum wallet. Named Safery: Ethereum Wallet, the extension claims to offer a 'secure wallet for managing Ethereum cryptocurrency with flexible settings.' It was first uploaded to the Chrome Web Store on September 29, 2025, with its most recent update on November 12. Despite its appearance as a simple and secure Ethereum (ETH) wallet, it conceals sophisticated malware designed to steal users' seed phrases.
Table of Contents
How the Malware Operates
The malicious extension contains a backdoor that exfiltrates wallet mnemonic phrases by encoding them into fake Sui addresses. It then broadcasts micro-transactions from a threat actor-controlled Sui wallet, allowing the attacker to extract sensitive information without a traditional Command-and-Control (C2) server.
The workflow is as follows:
- The extension encodes a user's seed phrase as a Sui address.
- It sends tiny micro-transactions (0.000001 SUI) to these fake addresses from the attacker's wallet.
- The attacker monitors the blockchain and decodes the recipient addresses to reconstruct the original seed phrases.
- Once reconstructed, the attacker can drain the victim's assets from their wallet.
This method enables the attacker to smuggle sensitive data through seemingly normal blockchain transactions, bypassing traditional detection mechanisms.
Threat Detection Challenges
This attack technique is particularly stealthy because it allows threat actors to switch chains and RPC endpoints easily. As a result, defenses relying solely on domains, URLs, or specific extension IDs may fail. Unexpected blockchain RPC calls from the browser, especially when the product claims to operate on a single chain, should be treated as high-risk signals.
Recommended Mitigation Strategies
To protect against this threat, cybersecurity experts advise the following precautions:
For users: Only install wallet extensions from trusted and verified sources. Avoid extensions that are newly published or have limited reviews.
For defenders: Scan browser extensions for malicious behaviors such as mnemonic encoders, synthetic address generators, and hard-coded seed phrases. Block any extension that attempts to write transactions on-chain during wallet creation or import.
By applying these precautions, both end-users and security teams can significantly reduce the risk of seed phrase theft and unauthorized fund withdrawals.
