In a disturbing development that’s sending shockwaves through the crypto community, a malicious Chrome extension called “Safery: Ethereum Wallet” has been stealing users’ seed phrases through an ingenious blockchain-based exfiltration technique. The fraudulent wallet ranked #4 in Chrome Web Store searches for “Ethereum Wallet,” sitting comfortably near legitimate options like MetaMask. Talk about a wolf in sheep’s clothing.
First appearing on September 29, 2025, with updates continuing through mid-November, the extension somehow sailed through Chrome’s review process. Because who needs rigorous security checks anyway, right?
The technical sophistication is genuinely impressive—if it weren’t so damn malicious. Upon wallet creation or import, Safery encodes the victim’s BIP-39 seed phrase into synthetic addresses on the Sui blockchain. It then fragments this data and embeds it across multiple microtransactions, sometimes as tiny as 0.000001 SUI. These transactions look perfectly normal on the blockchain. Sneaky.
What makes this attack particularly devious is that it uses the Sui blockchain itself as a covert exfiltration channel. The attackers later decode these synthetic addresses from public transaction records to reconstruct the full seed phrase. No direct transmission of sensitive data from the device. No suspicious network traffic. Just normal-looking blockchain activity.
Once compromised, victims’ wallets are completely exposed. The thieves gain full control over associated crypto assets on Ethereum and any other chains linked to that seed phrase. Game over.
The extension created fake trust signals by maintaining a clean icon and accumulating numerous five-star reviews to deceive unsuspecting users. Experts recommend keeping seed phrases offline and confidential to protect against such sophisticated attacks.
The evolution of the malware shows careful planning. Early builds tested simpler data leakage methods before developers refined their approach to the current sophisticated Sui encoding method. They’ve clearly been honing their craft.
For affected users, the compromise is catastrophic and irreversible. The seed phrase theft means attackers can drain funds without further interaction with the victim’s device. This incident highlights why many cryptocurrency experts recommend using cold storage solutions rather than internet-connected hot wallets for significant holdings. And because the transactions appear legitimate, users often don’t realize anything’s wrong until their assets vanish. By then, it’s too late.
