Chrome Extension "Safery" Steals Ethereum Wallet Seed Phrases Using Sui Blockchain

Key Findings

Chrome extension "Safery: Ethereum Wallet" is a malicious extension posing as a legitimate crypto wallet
The extension is designed to steal users' Ethereum wallet seed phrases
The seed phrases are exfiltrated by encoding them into Sui blockchain transactions

The malicious extension was uploaded to the Chrome Web Store on September 29, 2025
It is still available for download as of November 12, 2025
The extension is ranked fourth in search results for "Ethereum Wallet" on the Chrome Web Store

When a user creates or imports a wallet, the extension encodes the seed phrase into synthetic Sui-style addresses
It then sends 0.000001 SUI to those addresses using a hardcoded attacker-controlled mnemonic
The attacker can later decode the recipient addresses to reconstruct the original seed phrase
This process runs in-memory as normal blockchain traffic, allowing the seed phrase to be stolen without plaintext exfiltration or a command-and-control server

The "Safery: Ethereum Wallet" extension demonstrates that seed theft can be concealed by using public blockchains as the exfiltration channel
Defenders should scan extensions for mnemonic encoders, synthetic address generators, and hardcoded seed phrases, and block those that write to the chain during wallet import or creation
Detections that rely on specific domains, URLs, or extension IDs may miss this technique, as threat actors can switch chains and RPC endpoints with ease
Users are advised to stick to trusted wallet extensions and treat unexpected blockchain RPC calls from the browser as a high-risk signal, especially when the product claims to be single-chain.

https://securityaffairs.com/184585/malware/chrome-extension-safery-steals-ethereum-wallet-seed-phrases.html
https://thehackernews.com/2025/11/fake-chrome-extension-safery-steals.html