- A malicious Chrome extension named Safery: Ethereum Wallet disguises itself as a secure Ethereum wallet but steals users’ seed phrases.
- The extension encodes stolen seed phrases into synthetic Sui Blockchain addresses and broadcasts micro-transactions to exfiltrate data.
- Seed phrase theft occurs without a command-and-control server, allowing the attacker to decode transactions later and access victims’ funds.
- The extension has been available on the Chrome Web Store since September 29, 2025, and was updated as recently as November 12, 2025.
- Users should prefer trusted wallet extensions and defenders should scan for suspicious behaviors such as mnemonic encoding and on-chain activity during wallet import.
A harmful Chrome browser extension called Safery: Ethereum Wallet has been discovered, posing as a legitimate tool for managing Ethereum cryptocurrency since its release on September 29, 2025. This extension claims to offer secure wallet management but secretly captures users’ wallet seed phrases, critical credentials that allow access to crypto assets. Despite updates as recent as November 12, 2025, the extension remains available on the Chrome Web Store.
The extension operates by encoding seed phrases into counterfeit Sui blockchain wallet addresses, then sending minute transactions of approximately $0.000001 worth of SUI tokens from a threat actor-controlled wallet to those addresses. This method hides sensitive data inside apparently normal blockchain activity without the need for a command-and-control (C2) server. According to security researcher Kirill Boychenko, this technique enables attackers to monitor the blockchain for these transactions and later decode the recipient addresses to reconstruct stolen seed phrases.
This vector allows threat actors to easily switch blockchain networks and remote procedure call (RPC) endpoints, complicating detection efforts that rely on monitoring specific domains, URLs, or extension IDs. Security analysts at Koi Security detailed how the extension sends micro-transactions to fake addresses to steal users’ mnemonic phrases and subsequently drain victims’ funds.
To mitigate risks, users are advised to use well-known and trusted wallet extensions. Security professionals are encouraged to detect and block extensions that generate synthetic blockchain addresses, encode mnemonics, or conduct unauthorized on-chain operations during wallet creation or import. Boychenko emphasizes treating unexpected blockchain RPC calls in browsers as high-risk signals, particularly when extensions advertise support for only a single blockchain network.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Chinese ‘Warren Buffett’ Zhao Bingxian’s Divorce Ends After 15 Years
- Bitfarms Eyes NVIDIA’s Vera Rubin GPUs Amid Earnings Miss, Stock Falls
- Michael Saylor Calls MSTR a “Digital Treasury”—Claim Sparks Debate
- FanDuel Teams with CME for New Prediction Markets App Launch
- Europol Takedown Targets Rhadamanthys, Venom RAT, Elysium Botnet
