bersecurity researchers have discovered a malicious Chrome extension masquerading as a legitimate Ethereum wallet that secretly steals users’ seed phrases through an advanced blockchain-based exfiltration technique.
The extension, named “Safery: Ethereum Wallet,” was falsely promoted as a secure Ethereum wallet for managing cryptocurrency with customizable settings. It was first uploaded to the Chrome Web Store on September 29, 2025, and last updated on November 12, 2025. Despite its malicious intent, it remains available for download at the time of reporting.
According to Socket security researcher Kirill Boychenko, the extension’s code includes a backdoor that extracts users’ mnemonic seed phrases by encoding them as Sui blockchain addresses. It then performs microtransactions from a wallet controlled by the attacker, embedding the encoded seed phrases directly into blockchain activity.
Essentially, the malicious add-on hides stolen seed phrases inside what appear to be legitimate blockchain transactions, eliminating the need for a traditional command-and-control (C2) server. After the transactions are broadcast, the attacker can decode the Sui wallet addresses to reconstruct the victim’s seed phrase and gain access to their funds.
A report from Koi Security further explains:
“This extension steals wallet seed phrases by encoding them as fake Sui addresses and sending microtransactions to them from an attacker-controlled wallet. The attacker can then monitor the blockchain, decode the addresses, and drain victims’ assets.”
This unique attack method makes it harder to detect because it leverages the blockchain itself as a data exfiltration channel. By avoiding centralized infrastructure, it also reduces the chances of the threat actor being easily identified or blocked.
To defend against such threats, experts recommend:
- Only use trusted and verified wallet extensions from reputable developers.
- Scan extensions for signs of mnemonic encoders, fake address generators, or hard-coded seed phrases.
- Block extensions that write data to the blockchain during wallet setup or import.
Boychenko warns that this method gives attackers flexibility:
“This technique lets threat actors switch blockchains and RPC endpoints easily, so detections based only on domains, URLs, or extension IDs will fail. Treat unexpected blockchain RPC calls from browsers as high-risk, especially when the wallet claims to support a single chain.”
This discovery highlights a growing trend of browser-based cryptocurrency threats that blend social engineering with blockchain abuse to evade traditional detection systems.
