Fake Chrome Extension “Safery” Steals Ethereum Wallet Seed Phrases Using Sui Blockchain

Nov 13, 2025Ravie LakshmananBrowser Security / Threat Intelligence

Cybersecurity researchers recently discovered a malicious Chrome extension masquerading as a legitimate Ethereum wallet. The extension, named “Safery: Ethereum Wallet,” was uploaded to the Chrome Web Store on September 29, 2025, and has been updated as recently as November 12. Despite its deceptive appearance, the extension harbors a backdoor that is capable of exfiltrating users’ seed phrases.

The threat actor behind the extension describes it as a “secure wallet for managing Ethereum cryptocurrency with flexible settings.” The extension’s malicious functionality involves encoding the stolen seed phrases into fake Sui addresses and then using microtransactions from a threat actor-controlled Sui wallet to broadcast them.

According to Socket security researcher Kirill Boychenko, the malware within the extension is specifically designed to steal wallet mnemonic phrases by encoding them as fake Sui wallet addresses and sending microtransactions to them from the attacker-controlled wallet. This technique allows the threat actor to monitor the blockchain, decode the addresses back to seed phrases, and ultimately drain victims’ funds.

Koi Security also noted in their analysis that the extension’s end goal is to smuggle the seed phrase inside seemingly normal blockchain transactions without the need for a command-and-control server. To mitigate the risk posed by this threat, users are advised to only use trusted wallet extensions and scan for mnemonic encoders, synthetic address generators, and hard-coded seed phrases.

Boyachenko also emphasized the importance of being cautious with unexpected blockchain RPC calls from browsers, especially when the product claims to be single chain. Defenders are urged to remain vigilant and implement measures to detect and block malicious activities from browser extensions.