Cybersecurity researchers have uncovered a malicious Chrome extension that poses as a legitimate Ethereum wallet but harbors functionality to exfiltrate users’ seed phrases. The extension, called “Safery: Ethereum Wallet,” is presented by its creators as a “secure wallet for managing Ethereum cryptocurrency with flexible settings.” Despite its harmful design, it remains available on the Chrome Web Store, where it was initially uploaded on September 29, 2025, and most recently updated on November 12.
According to Socket security researcher Kirill Boychenko, “Marketed as a simple, secure Ethereum (ETH) wallet, it contains a backdoor that exfiltrates seed phrases by encoding them into Sui addresses and broadcasting microtransactions from a threat actor-controlled Sui wallet.” The hidden malware embedded within the extension operates by harvesting users’ mnemonic phrases and transforming them into fabricated Sui wallet addresses. From there, it initiates microtransactions—specifically sending 0.000001 SUI—from a hard-coded attacker-controlled wallet to these synthetic addresses.
The threat actor’s objective is to covertly embed victims’ seed phrases into what appear to be routine blockchain transactions. This technique eliminates the need for a traditional command-and-control server, reducing the likelihood of detection. Once the series of microtransactions is completed, the attacker can decode the artificially generated recipient addresses, reconstruct the original seed phrase, and ultimately empty the victim’s crypto holdings.
Koi Security, which also analyzed the malicious extension, explains the mechanism succinctly: “This extension steals wallet seed phrases by encoding them as fake Sui addresses and sending micro-transactions to them from an attacker-controlled wallet, allowing the attacker to monitor the blockchain, decode the addresses back to seed phrases, and drain victims’ funds.”
To mitigate the threat, experts strongly recommend that crypto users rely only on verified and widely trusted wallet extensions. Security teams are advised to inspect browser add-ons for hidden mnemonic encoders, anomalous address-generation routines, and embedded seed phrases. They should also flag extensions that interact with the blockchain during wallet setup, as this behavior is highly unusual for legitimate tools.
Boychenko emphasizes that this evasion tactic is particularly dangerous: “This technique lets threat actors switch chains and RPC endpoints with little effort, so detections that rely on domains, URLs, or specific extension IDs will miss it. Treat unexpected blockchain RPC calls from the browser as high signal, especially when the product claims to be single chain.”
The discovery highlights the growing sophistication of browser-based crypto threats and underscores the need for heightened vigilance when installing wallet-related extensions.
