Socket’s Threat Research Team identified a malicious Chrome extension called “Safery: Ethereum Wallet” that operates as a seed phrase thief under the guise of a functional cryptocurrency wallet. The extension was added to the Chrome Web Store on September 29, 2025, received an update on November 12, and remains accessible for users to download. Despite falsely promoting itself as a secure, private, and user-friendly Ethereum wallet that facilitates easy transactions without collecting user data, it is a high-risk threat. Its visibility is heightened because it appears prominently as the fourth result when searching for “Ethereum Wallet,” placing it directly alongside legitimate applications and significantly increasing the likelihood of unwitting installation by users. Researchers have since reached out to Google, requesting the removal of the malicious extension and the suspension of the linked publisher account.
The fake “Safery” wallet is engineered to hide the theft of seed phrases within seemingly normal blockchain transactions. When a user creates a new wallet or imports an existing one, the extension first encodes the sensitive BIP-39 mnemonic phrase. This phrase is converted into a series of synthetic Sui-style addresses. Following this encoding, a tiny microtransaction of 0.000001 SUI is sent to these newly generated recipient addresses using a hardcoded mnemonic belonging to the threat actor. This process is crucial because the attacker can later decode the recipient addresses to fully reconstruct the victim’s original seed phrase, enabling them to completely drain the associated crypto assets from the wallet.
The specific method of exfiltration involves an elaborate covert Sui channel. The process maps each word of the victim’s seed phrase to its corresponding index, packs these indices into a hexadecimal format, and then pads this string to 64 characters with a 0X prefix. A standard twelve-word seed yields one such synthetic address, while a 24-word seed yields two. Because the process executes entirely in the browser’s memory and the seed phrase is hidden within the data of standard-looking blockchain traffic, there is no direct plaintext exfiltration or communication with a command-and-control server.
This sophisticated technique allows for a full wallet takeover once the attacker successfully reconstructs the mnemonic from the transaction data.The discovery highlights a significant and evolving threat landscape where public blockchains are being weaponized as exfiltration channels. This method of seed theft allows attackers to bypass traditional security defenses, as the mnemonic is leaked without relying on identifiable HTTP traffic, specific central C2 infrastructure, or specific domains and URLs. Consequently, security detections that depend on these conventional indicators are ineffective against this type of sophisticated attack.
This method’s ability to switch between different chains and Remote Procedure Call (RPC) endpoints with minimal effort presents a considerable challenge for cybersecurity defenders. Experts now anticipate that this specific technique will be reused by threat actors across various blockchain ecosystems, including Sui, Solana, and multiple Ethereum Virtual Machine (EVM) chains, and integrated into other malicious wallet interfaces. Defenders are urged to adapt their strategies to counter these covert, chain-agnostic seed theft mechanisms rather than relying on chain-specific or extension-specific identifiers.
Reference:
