Beware of 'Safery': Fake Chrome Extension Steals Ethereum Seed Phrases

A newly discovered malicious Chrome extension, masquerading as a legitimate Ethereum wallet, has been found to secretly steal users' seed phrases. The extension, named "Safery: Ethereum Wallet," was available on the Chrome Web Store and posed a significant threat to cryptocurrency holders by exfiltrating sensitive wallet recovery information.

Key Takeaways

• A fake Chrome extension named "Safery: Ethereum Wallet" has been identified.

• The extension steals Ethereum wallet seed phrases.

• It uses the Sui blockchain to exfiltrate data by encoding seed phrases into fake Sui addresses.

• The stolen information allows attackers to drain victims' cryptocurrency assets.

• Users are advised to exercise caution and stick to trusted wallet extensions.

The 'Safery' Deception

The "Safery: Ethereum Wallet" extension was uploaded to the Chrome Web Store on September 29, 2025, and received updates as recently as November 12. It presented itself as a secure and simple wallet for managing Ethereum (ETH) cryptocurrency, offering features similar to popular wallets like MetaMask. Users were led to believe it provided privacy and device-side key storage.

A Covert Blockchain-Based Exfiltration Technique

Beneath its legitimate facade, the extension harbored a sophisticated backdoor. Cybersecurity researchers discovered that when a user imported or created a wallet, the malware encoded the BIP-39 mnemonic seed phrase into one or two synthetic Sui-style addresses. This was achieved by converting each word of the seed phrase into its corresponding index, packing these indices into a hexadecimal string, and then formatting it as a valid Sui blockchain address.

The threat actor controlled a specific Sui wallet from which tiny microtransactions of 0.000001 SUI were sent to these encoded recipient addresses. Because the destination fields of these transactions contained the embedded mnemonic data, the attacker could later decode them to reconstruct the victim's original seed phrase. This method allowed for data exfiltration entirely on-chain, disguised within normal-looking blockchain activity, and bypassed the need for traditional command-and-control (C2) servers or HTTP traffic, making it difficult to detect through conventional network monitoring.

Risks and Defensive Measures

Once an attacker recovers a user's seed phrase, they can instantly duplicate the wallet, derive the Ethereum private keys, and transfer assets without the user's knowledge. The extension remained available on the Chrome Web Store at the time of discovery, prompting security researchers to submit a takedown request to Google.

Security experts strongly advise users to only install browser wallet extensions from verified publishers. It is also recommended to monitor extensions for suspicious blockchain calls, especially those that write to the chain during wallet creation or import, use hardcoded seeds, or contain mnemonic encoder logic. Treating unexpected blockchain RPC calls from the browser as a high-risk signal is crucial, particularly when the product claims to be single-chain.

Sources

• Fake Chrome Extension "Safery" Steals Ethereum Wallet Seed Phrases Using Sui Blockchain, The Hacker News.

• Chrome Extension Threat Enables Full Ethereum Wallet Compromise, Cyber Press.