A fraudulent cryptocurrency wallet extension listed on the Chrome Web Store has been found stealing user seed phrases through an unconventional technique that relies on blockchain microtransactions. Despite containing clearly malicious components, the extension has appeared prominently in search results, raising concerns about oversight on major browser marketplaces.
The extension, known as Safery: Ethereum Wallet, promotes itself as a secure platform for managing Ethereum-based assets. According to a recent analysis released by blockchain security firm Socket, the tool is engineered to extract seed phrases from users the moment they attempt to either create a new wallet or import an existing one. The extension, first uploaded in late September 2025, currently ranks as one of the top search results shown to users looking for Ethereum wallet tools, appearing alongside legitimate offerings such as MetaMask, Wombat, and Enkrypt.
Seed Phrases Leaked Through Synthetic Addresses
Socket’s investigation revealed that the extension compromises security at both entry points offered to users. When a new wallet is created, the tool immediately captures the newly generated seed phrase. When an existing wallet is imported, the phrase is taken at the moment the user enters it. What sets this campaign apart is its method of transmitting stolen information.
Instead of relying on conventional command-and-control servers, the attackers have adopted a method that hides data inside small blockchain transactions. The malware encodes BIP-39 seed phrases into fabricated Sui-style blockchain addresses. It then triggers microtransactions of an extremely small SUI amount—roughly one-millionth of a token—from an attacker-controlled wallet to these synthetic addresses. Socket researcher Kirill Boychenko explained that threat actors continuously monitor the Sui blockchain for such tiny transfers. By decoding the recipient address, they can reconstruct the original seed phrase. This approach enables them to gain complete access to the user’s assets and drain the compromised wallet.
🚨 SECURITY ALERT: Malicious Chrome Extension Stealing Crypto Assets
A fake Ethereum wallet extension "Safery: Ethereum Wallet" is exfiltrating seed phrases by encoding them into #Sui transactions—a highly sophisticated attack method.
⚠️ Extension Name: Safery: Ethereum Wallet… pic.twitter.com/FIEkkq2pau
— GoPlus Security 🚦 (@GoPlusSecurity) November 14, 2025
The tactic works regardless of whether the user is creating a new wallet or importing an existing one. In both cases, the seed phrase is funneled directly into the blockchain-based exfiltration system, placing users at immediate risk.
Multiple Warning Signs Ignored by Users
Investigators highlighted several signs that could have alerted users to the extension’s suspicious nature. The tool had no user reviews, contained branding with noticeable grammatical errors, and lacked a dedicated website. Additionally, the developer listed a Gmail address rather than a professional domain, a detail commonly associated with unverified or low-quality extensions.
Independent analysts at Koi Security confirmed Socket’s findings. Their review indicated that the extension actively monitored blockchain activity and converted encoded addresses back into seed phrases. Cybersecurity specialists advised users to install only verified and reputable wallet extensions, warning that all unknown tools should be treated cautiously.
New Attack Method Evades Traditional Detection
Experts noted that this technique poses a challenge for traditional security measures. Boychenko emphasized that the method allows attackers to shift between different blockchains and RPC endpoints effortlessly. Because the technique does not rely on domains, URLs, or consistent extension identifiers, common detection tools are likely to overlook the threat. Security teams have been urged to treat unexpected blockchain RPC calls from web browsers as high-risk indicators.
Specialists recommend that defenders screen browser extensions for signs of malicious activity, including mnemonic encoders, synthetic address generators, and hard-coded seed phrases. They also advise blocking tools that attempt blockchain interactions during wallet creation or import flows.
Users have been encouraged to monitor all wallet activity closely, as even very small, unexpected transactions could signal malicious behavior. As of mid-November 2025, the fake extension remained available for download, with its latest update appearing just one day earlier.
