.png){kind=logo}
A malicious Chrome extension named Safery: Ethereum Wallet is stealing user seed phrases through hidden blockchain transactions on the Sui network. Security researchers identified the threat after analyzing its setup activity and tracing microtransactions linked to encoded mnemonic data. The extension was uploaded in 2024 with claims of simple and private Ethereum use, yet its internal code reveals a powerful backdoor that exposes user assets through covert transfers.
Safery presents itself as a secure Ethereum wallet with device-side key storage and private operations. It allows users to create accounts, import seed phrases, and send ETH using familiar wallet interfaces. The extension also displays balances through public RPC endpoints, offering an experience similar to MetaMask and Enkrypt.
Yet deeper inspection by Socket’s Threat Research Team reveals secret exfiltration during wallet setup. The malware encodes mnemonics as fake Sui wallet addresses using a synthetic formatting method. Then it sends tiny amounts of SUI to those addresses from a fixed attacker wallet. Each transaction transfers 0.000001 SUI, making the activity appear harmless.
The attacker later reviews the transactions and decodes each recipient address. This process restores the original seed phrase and grants full access to user funds. The method removes the need for any command-and-control servers and uses normal blockchain behavior to hide the theft. It also shifts risk to users who trust extensions without proper verification.
Security researcher Kirill Boychenko says the extension uses the Sui network to export mnemonics without visible traffic. The approach allows threat actors to avoid domains or URLs that defenders monitor. It also helps them switch to different chains or RPC endpoints with minimal effort.
This method may appear benign because the wallet executes microtransactions during setup. Yet these small transfers contain critical encoded data. Analysts note that this technique blends into public blockchain activity and bypasses many extension scanning tools. It also lets attackers monitor the chain for new seed phrases at any time.
As more extensions adopt multi-chain features, defenders face increased challenges. The tactic can also be reused across Solana and EVM networks. Therefore, the rise of chain-based exfiltration raises an important question: how can users identify hidden risks when malicious tools mimic trusted products so closely?
Researchers advise users to install only trusted wallet extensions from verified publishers. They also warn users to review extension pages for missing reviews, strange branding, and suspicious developer information. Safery displayed several warning signs, including grammatical errors, a Gmail developer address, and no official website.
Defenders are urged to scan browser extensions for mnemonic encoders, synthetic address generators, and hard-coded seed phrases. They should also flag extensions that write on-chain during seed import or account creation. Additionally, teams should monitor browser-based RPC traffic and watch for unexpected calls to unfamiliar chains.
Users are also encouraged to monitor their wallets for microtransactions. Even small transfers may contain encoded data sent to threat actors. Careful oversight remains critical because malicious tools can hide theft within normal blockchain operations and exploit user trust in simple wallet interfaces.
The investigation shows that the Safery Chrome extension steals seed phrases by encoding mnemonics into Sui network transactions. The threat actor uses these microtransactions to rebuild wallet keys and take funds. Users should install only verified wallet extensions and monitor all activity to prevent similar seed phrase theft attempts.
Read more: Cork Protocol Hacked: Hacker Swaps $12M for Ethereum in Daring Move
