Chrome extension “Safery” steals Ethereum wallet seed phrases

Malicious Chrome extension “Safery: Ethereum Wallet” steals users’ seed phrases while posing as a legit crypto wallet still available online.

Socket’s Threat Research Team discovered a malicious Chrome extension called “Safery: Ethereum Wallet,” posing as a legitimate crypto wallet but designed to steal users’ seed phrases. The Chrome extension was uploaded to the Chrome Web Store on September 29, 2025, and the last update was on November 12. It remains available for download, falsely marketed as a secure Ethereum wallet.

The malicious Safery: Ethereum Wallet appears fourth in Chrome Web Store search results for “Ethereum Wallet,” giving it visibility alongside legit wallets and increasing risk of user installation.

The Chrome Web Store lists Safery: Ethereum Wallet as user-friendly, secure, and private, claiming easy transactions and no data collection.

Researchers requested Google to remove the malicious extension and suspend the publisher’s account linked to kifagusertyna@gmail[.]com.

The fake “Safery” wallet hides stolen seed phrases in blockchain transactions. The attacker decodes recipient addresses after transactions to recover the victim’s seed phrase and steal their crypto assets.

“When a user creates or imports a wallet, Safery: Ethereum Wallet encodes the BIP-39 mnemonic into synthetic Sui style addresses, then sends 0.000001 SUI to those recipients using a hardcoded threat actor’s mnemonic.” reads the report published by cybersecurity firm Socket. “By decoding the recipients, the threat actor reconstructs the original seed phrase and can drain affected assets. The mnemonic leaves the browser concealed inside normal looking blockchain transactions.”

The extension hides a covert Sui exfiltration channel by encoding a BIP‑39 mnemonic into one or two synthetic Sui‑style addresses: it maps each seed word to its index, packs indices into hex, pads to 64 chars and prefixes 0x. Twelve‑word seeds yield one address, 24‑word seeds two. On wallet create/import the extension uses a hardcoded attacker mnemonic to send tiny SUI microtransactions to those synthetic addresses; the attacker later decodes recipients to reconstruct the exact seed. The process runs in‑memory as normal blockchain traffic (no plaintext exfiltration or C2), allowing full wallet takeover once the mnemonic is recovered.

“The malicious Safery: Ethereum Wallet extension shows that seed theft can be concealed by using public blockchains as the exfiltration channel. Any mnemonic entered into a malicious wallet can be leaked without HTTP traffic or a central C2. This technique lets threat actors switch chains and RPC endpoints with little effort, so detections that rely on domains, URLs, or specific extension IDs will miss it.” concludes the report. “Defenders should expect reuse across Sui, Solana, and EVM chains and across other wallet UIs.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome extension)