Beware! Malicious Ethereum wallet extension steals seed phrases through Sui micropayments.

The blockchain security platform Socket released a report on November 13, 2025, revealing that a malicious Chrome extension named “Safery: Ethereum Wallet” steals users' seed phrases through a unique attack method. This extension ranks fourth in the search for “Ethereum Wallet” on the Chrome Web Store and completes data leakage by encoding BIP-39 mnemonic phrases to Sui blockchain addresses and sending a microtransaction of 0.000001 SUI. As of the report's release, this extension remained available for download since it was uploaded on September 29, featuring characteristics such as zero user reviews, grammatical errors in branding information, and a Gmail developer account that should raise users' alertness.

Malicious Expansion Transmission Channels and Camouflage Strategies

“Safery: Ethereum Wallet” is a malicious extension that was uploaded to the Chrome Web Store on September 29, 2025. It quickly rose to the fourth position in the search results for the keyword “Ethereum Wallet” through search engine optimization strategies, only behind legitimate wallets like MetaMask, Wombat, and Enkrypt. The attacker carefully designed the extension's icon and description, using a blue-themed interface similar to legitimate wallets and promotional phrases like “safe and reliable”. However, the misspelling of the brand name “Safery” (which should be “Safety”) became the first identifying mark.

The extended page information shows that the developer's contact email is a free Gmail account rather than a professional corporate domain; there are multiple grammatical errors in the extension description; most importantly, the extension failed to receive any user reviews during its 45-day online period—these characteristics combined constitute a typical malware red flag. According to Google's official policy, the Chrome Web Store is supposed to conduct automatic security scans on extensions, but evidently, this new type of attack method has successfully bypassed the detection mechanisms. As of November 13, Google has not removed the extension, and the latest update record shows that the attacker was still optimizing the code on November 12.

Technical Principles Analysis of Data Theft Mechanisms

Unlike traditional malware that uses command and control servers to transmit data, this extension employs a highly covert blockchain data leakage technique. When a user creates a new Wallet or imports an existing Wallet, the extension captures the complete BIP-39 seed phrase and then encodes the 12 or 24 word mnemonic phrase into what appears to be a normal Sui Blockchain address using a specific algorithm. Once the encoding is complete, the extension sends a microtransaction of 0.000001 SUI (approximately 0.000001 USD) from the attacker's controlled Wallet to these fabricated addresses.

Socket security researcher Kirill Boychenko explained that this technology essentially turns the public blockchain into a data transmission layer. Attackers only need to monitor transactions on the SUI chain to decode the original seed phrase from the recipient's address. Since the transaction amounts are extremely small and mixed in with normal traffic, ordinary users are almost unable to notice. More dangerously, this type of attack does not rely on traditional network monitoring tools, as data leakage is completed through legitimate blockchain RPC calls, and firewalls and antivirus software typically do not flag these behaviors.

Summary of malicious extension attack features

Extended Name: Safery: Ethereum Wallet

Upload time: September 29, 2025

Last updated: November 12, 2025

Chrome Store Ranking: Fourth Place (search “Ethereum Wallet”)

Attack Method: Seed Phrase Encoded to Sui Address

Transaction Amount: 0.000001 SUI

Target of theft: BIP-39 mnemonic phrase

Identification features: zero comments, grammatical errors, Gmail developer account

Current status: Still available for download (as of November 13)

User Identification and Prevention Measures Guide

For ordinary users, recognizing such malicious extensions requires following a few key principles. First, only install extensions from official channels with a large number of genuine reviews—MetaMask has over 10 million users and a 4.8-star rating, while malicious extensions usually have very few reviews. Second, carefully check the developer information; legitimate projects will use corporate email addresses and professional websites, not free email addresses. Third, pay attention to brand consistency; spelling errors and poor design are often warning signs.

On the operational level, security experts recommend adopting a multi-layered protection strategy. Before installing new extensions, use tools like VirusTotal to scan the extension ID; regularly check for permission changes of installed extensions; use hardware wallets to store large assets, avoiding saving private keys in browser extensions. For users suspected of being infected, they should immediately transfer assets to a newly created secure wallet and conduct a comprehensive system scan. Koi Security further suggests that users should monitor all blockchain transactions, especially unusual outgoing amounts, as this may indicate that attackers are testing access permissions.

Evolution of Security Industry Response and Detection Technologies

In the face of this new type of attack, security vendors are developing targeted detection solutions. Traditional detection methods that rely on domain names, URLs, or extended IDs are no longer sufficient, as attackers fully utilize legitimate Blockchain infrastructure. The new solutions proposed by Socket include monitoring unexpected Blockchain RPC calls in the browser, identifying mnemonic phrase encoding patterns, and detecting synthetic address generation behavior. Particularly for outgoing transactions initiated during wallet creation or import, regardless of the amount, they should be considered high-risk activities.

From a technical perspective, defending against such attacks requires a collaborative effort from browser vendors, security companies, and blockchain projects. The Chrome Web Store needs to strengthen both static and dynamic analysis of extension code, particularly in reviewing blockchain API calls. Security software should update their signature databases to flag unauthorized seed phrase leakage behaviors as malicious. Blockchain projects might also consider detecting abnormal transaction patterns at the node level, although this may conflict with the principles of decentralization.

Evolution of Blockchain Security Threats

Since the phishing sites stole private keys in 2017, to Trojan programs replacing clipboard addresses in 2021, and now the leakage of micro-trade data, blockchain security threats are continuously upgrading and evolving. This method of leaking data through legitimate blockchain networks represents a new trend—attackers are leveraging the immutability and anonymity of blockchain as tools for their attacks. Compared to traditional attacks, this method does not require maintaining a C&C server, makes it difficult to trace the attacker's identity, and the data transmission process is completely 'legal'.

Historical data shows that asset losses due to wallet security incidents exceed $1 billion annually, with browser extension-related incidents rising from 15% in 2023 to 30% by 2025. This growth reflects a shift in attacker strategies— as hardware wallets become more common, directly attacking cold wallets becomes more difficult, leading to a focus on hot wallet extensions that have relatively weak protections. Notably, several recent malicious extensions have mimicked the UI design of MetaMask, but subtle differences can still be identified.

Best Practices for Personal Digital Asset Security

To ensure the security of digital assets, users should establish systematic security habits. First, adopt a tiered storage strategy: use a mobile light wallet for daily small transactions, a browser extension combined with hardware signatures for medium amounts, and a multi-signature cold wallet for large assets. Second, implement operational isolation: create dedicated devices for wallet-related operations, and do not mix them with daily web browsing. Third, conduct regular security audits: check authorization records, transaction history, and extension permissions.

For enterprise users, it is advisable to deploy a dedicated security monitoring system to track browser extensions installed by employees and set up a blockchain transaction alert mechanism. Large transfers should require multi-person authorization, and the receiving address must go through a verification process. In addition, conduct regular social engineering attack training for employees to enhance their ability to identify phishing emails and fake websites. On a technical level, consider using a smart contract wallet to reduce single point of failure risks through daily limits and trusted contact mechanisms.

Industry Collaboration and Regulatory Response Requirements

Addressing such security threats requires collaboration across the entire industry. Browser vendors should establish stricter extension review processes and implement special scrutiny for extensions that access Blockchain APIs. Security companies need to share threat intelligence and create a repository of malicious extension characteristics. Blockchain projects may consider adding transaction tagging features at the protocol level, allowing users to blacklist suspicious addresses.

From a regulatory perspective, countries may strengthen regulatory requirements for cryptocurrency wallet applications, including mandatory code audits, developer identity verification, and insurance protection. The EU MiCA regulation has set basic requirements for wallet providers, but the details of enforcement still need to be improved. In the long run, the industry needs to establish fraud detection and fund recovery mechanisms similar to traditional finance, although this inherently conflicts with the decentralized nature of cryptocurrency assets.

Security Outlook

When attackers start to use the blockchain itself as a medium for attacks, and microtransactions become channels for data leakage, we face not only technical challenges but also a need for conceptual innovation. The terrifying aspect of this new type of attack is not its complexity, but rather that it subverts the understanding that “blockchain transactions are secure.” On the road to mainstream adoption in the crypto world, security has always been the weakest link - today's “Safery” incident reminds us that while we trust code, we also need to establish a systematic verification mechanism. After all, in the world of digital assets, security is not a feature, but a foundation.