Fake Ethereum Wallet Extension Steals Seed Phrases Through Blockchain Transactions

TLDR

A malicious Chrome extension called “Safery: Ethereum Wallet” ranks fourth in Chrome Web Store searches for Ethereum wallets
The extension steals seed phrases by encoding them into fake Sui blockchain addresses and sending tiny transactions worth 0.000001 SUI
Threat actors decode the recipient addresses from these microtransactions to reconstruct users’ seed phrases and drain their wallets
The extension was uploaded to Chrome Web Store on September 29, 2025 and remained available as of November 13, 2025
Warning signs include zero user reviews, grammatical errors in branding, no official website, and a Gmail-linked developer account

A fake cryptocurrency wallet extension on Google’s Chrome Web Store is stealing user seed phrases through an unusual method involving blockchain microtransactions. The extension has appeared high in search results despite containing malicious code.

🚨 SECURITY ALERT: Malicious Chrome Extension Stealing Crypto Assets

A fake Ethereum wallet extension “Safery: Ethereum Wallet” is exfiltrating seed phrases by encoding them into #Sui transactions—a highly sophisticated attack method.

⚠️ Extension Name: Safery: Ethereum Wallet… pic.twitter.com/FIEkkq2pau

— GoPlus Security 🚦 (@GoPlusSecurity) November 14, 2025

The extension is named “Safery: Ethereum Wallet.” It markets itself as a secure tool for managing Ethereum-based assets. Blockchain security platform Socket identified the threat in a report published on Tuesday.

The malicious software currently ranks as the fourth search result when users type “Ethereum Wallet” into the Chrome Web Store. It appears just below legitimate wallet extensions like MetaMask, Wombat, and Enkrypt. The extension was first uploaded on September 29, 2025.

The extension works by allowing users to either create new wallets or import existing ones. Both options compromise user security. When a user creates a new wallet, the extension immediately captures the seed phrase.

How the Theft Mechanism Works

The malware uses a unique method to steal credentials without traditional command-and-control servers. It encodes BIP-39 mnemonic seed phrases into synthetic Sui-style blockchain addresses. The extension then sends a microtransaction of 0.000001 SUI to these fake addresses from a wallet controlled by the attackers.

Security researcher Kirill Boychenko from Socket explained the process. The seed phrase leaves the user’s browser hidden inside normal-looking blockchain transactions. Threat actors monitor the Sui blockchain for these tiny transactions.

They can then decode the recipient addresses to reconstruct the original seed phrase. Once they have the seed phrase, they gain complete access to drain all assets from the compromised wallet. The method works whether users create new wallets or import existing ones.

Users who import existing wallets face immediate risk. The moment they enter their seed phrase into the extension, it gets transmitted through the blockchain transaction system. The attackers can access these funds at any time after capturing the credentials.

Warning Signs and Detection

Several red flags indicate the extension’s lack of legitimacy. The extension has zero user reviews on the Chrome Web Store. Its branding contains grammatical mistakes and appears limited in quality.

There is no official website linked to the extension. The developer contact information uses a Gmail account rather than a professional domain. These warning signs should alert users before installing the extension.

Koi Security confirmed the threat in an independent analysis. They verified that the extension monitors the blockchain to decode addresses back to seed phrases. Security experts recommend users only install trusted wallet extensions with verified legitimacy.

Defenders should scan extensions for specific malicious indicators. These include mnemonic encoders, synthetic address generators, and hard-coded seed phrases. Extensions that write to the blockchain during wallet import or creation should be blocked.

Boychenko noted that this technique allows threat actors to switch chains and RPC endpoints easily. Traditional detection methods that rely on domains, URLs, or specific extension IDs will miss this type of attack. Unexpected blockchain RPC calls from browsers should be treated as high-priority security signals.

Users should monitor all wallet transactions consistently. Even transactions involving very small amounts could indicate malicious activity. The extension remained available for download on the Chrome Web Store as of November 13, 2025, with its most recent update occurring on November 12.

The post Fake Ethereum Wallet Extension Steals Seed Phrases Through Blockchain Transactions appeared first on CoinCentral.

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: News - @ November 14, 2025 7:36 am