In a troubling development for the cryptocurrency community, security researchers at Socket Security (often referred to simply as “Socket”) have uncovered a malicious browser extension on the Google Chrome Web Store called “Safery: Ethereum Wallet”, which masquerades as a legitimate Ethereum‑wallet utility but is designed to steal users’ seed phrases and grant attackers full access to the victims’ assets.
What’s going on?
-
The extension promises to be a “trusted and secure utility for managing Ethereum assets easily and efficiently.”
-
In reality, upon installation, the extension contains a sophisticated backdoor. When a user either creates a new wallet or imports an existing one via their seed phrase (i.e., the BIP‑39 mnemonic), the extension triggers tiny microtransactions on the Sui blockchain to send encrypted versions of the seed phrase to attacker‑controlled addresses.
-
Specifically, Socket’s analysis shows that when a seed is entered, the extension encodes the mnemonic into synthetic Sui addresses, then sends tiny amounts of SUI (e.g., 0.000001 SUI) from these addresses. By tracing the on‑chain data and decoding the seed fragments, attackers can reconstruct the full mnemonic and drain the compromised wallet.
-
Alarmingly, the extension was ranked fourth in search results for “Ethereum Wallet” in the Chrome‑Web‑Store, appearing right behind well‑known legitimate wallets such as MetaMask, Wombat Wallet and Enkrypt — thereby having a high likelihood of being picked by unsuspecting users.
Why this is dangerous
-
A seed phrase (or “mnemonic phrase”) is the ultimate key to a cryptocurrency wallet: whoever has it controls the funds.
-
Because the attacker obtains the seed before any large balance might be deposited (or immediately after import), they obtain full access and can drain funds at will.
-
The microtransaction approach is clever — the individual transactions may appear innocuous and easily overlooked by users, yet they encode and transmit the stolen data.
-
Because the extension impersonates a normal wallet extension, users may not suspect wrongdoing until it’s too late.
Key red‑flags that users should watch
-
An extension with a generic or poor branding/name that tries to masquerade as a major wallet but lacks credible identity. (In this case, “Safery: Ethereum Wallet” had minimal reviews and a weak developer profile.)
-
Absence of an official website, weak or non‑existent support, and only generic contact info (e.g., Gmail addresses).
-
Grammar/spelling errors, or generic marketing language like “trusted and secure” without verifiable audits or credible developer credentials.
-
Presence of unexpected on‑chain microtransactions taking place shortly after wallet creation or import, especially on blockchains you didn’t knowingly use (e.g., Sui).
-
Being easily discoverable (high ranking/popularity) yet lacking traction or visibility among well‑known crypto‑wallet communities or reviews.
Action steps & how to protect yourself
-
If you ever installed “Safery: Ethereum Wallet” (or any extension with suspicious signs), immediately remove it from Chrome and any other browsers.
-
If you used it to create a wallet or import an existing wallet seed phrase, treat that wallet as now compromised. Transfer the funds immediately (if any remain) to a new wallet whose seed phrase you generated offline and securely.
-
Always prefer wallets with strong reputations, open‑source code (if possible), and community audits. Check the developer’s identity, website, GitHub repository, user reviews and trusted third‑party assessments.
-
Be extremely careful when entering or importing a seed phrase: only ever do so when you know the wallet/extension/vendor is legitimate.
-
Monitor your wallets for any unexpected transactions — even very small or odd ones may be signs of malicious activity.
-
Keep your browser and extensions updated, and periodically review your installed extensions and remove any you no longer use or don’t trust.
Final thoughts
The discovery of “Safery: Ethereum Wallet” underscores a fundamental truth of the crypto‑ecosystem: convenience tools (browser extensions, wallet apps, plugins) can often become vectors for sophisticated attacks when built or deployed maliciously. Even smart users can fall victim if they stop exercising caution.
In this case, the attackers executed a multi‑layer strategy: craft a superficially credible wallet extension, rank it highly in the store, wait for users who don’t do full due‑diligence, embed a backdoor that transmits mnemonics via seemingly innocuous micro‑transactions on an unlikely blockchain — and strike. It’s a stark reminder that every wallet, every seed phrase, every extension must be treated as high‑security.
Stay alert. When in doubt, generate a new wallet and transfer your assets to it. And always preserve your seed phrase offline in cold storage, never input it into an extension or tool whose trustworthiness you’ve not fully verified.
Ready to start your cryptocurrency journey?
If you’re interested in exploring the world of crypto trading, here are some trusted platforms where you can create an account:
- Binance – The world’s largest cryptocurrency exchange by volume.
- Bybit – A top choice for derivatives trading with an intuitive interface.
- OKX – A comprehensive platform featuring spot, futures, DeFi, and a powerful Web3 wallet.
- KuCoin – Known for its vast selection of altcoins and user-friendly mobile app.
These platforms offer innovative features and a secure environment for trading and learning about cryptocurrencies. Join today and start exploring the opportunities in this exciting space!
Want to stay updated with the latest insights and discussions on cryptocurrency?
Join our crypto community for news, discussions, and market updates: CryptoBCC on Youtube | Telegram | Facebook | Discord | X(Twitter)
For collaborations and inquiries: CryptoBCC.com@gmail.com
Disclaimer: This is not investment advice. Cryptocurrency investments carry high risk. Always conduct your own research.
