A fake Chrome extension named "Safery: Ethereum Wallet" has been identified as a significant security threat, ranking fourth in Google Chrome Web Store searches for "Ethereum Wallet" as of November 13, 2025. The extension, first uploaded on September 29, 2025, and last updated on November 12, 2025, masquerades as a secure tool for managing Ethereum-based assets but contains malicious code designed to steal users' seed phrases.
The theft mechanism involves encoding BIP-39 mnemonic seed phrases into synthetic Sui-style blockchain addresses. When users create or import a wallet, the extension sends a microtransaction of 0.000001 SUI to these fake addresses from a threat actor-controlled wallet. Attackers then monitor the Sui blockchain, decode the recipient addresses to reconstruct the original seed phrases, and gain full access to drain all assets from compromised wallets. This method bypasses traditional detection by concealing data within normal-looking blockchain transactions.
Security researchers from Socket highlighted the sophistication of this attack in a report, noting that it allows threat actors to easily switch chains and RPC endpoints. Independent analyses by GoPlus Security and Koi Security confirmed the threat, emphasizing that the extension remains available on the Chrome Web Store despite red flags such as zero user reviews, grammatical errors in branding, no official website, and a developer account linked to Gmail.
Experts recommend users avoid installing unverified extensions, monitor wallet transactions for unexpected microtransactions, and rely on trusted wallets like MetaMask. Defenders are advised to scan for indicators like mnemonic encoders and synthetic address generators to prevent similar attacks.
BTC
SAND
USDT
USDC
TRX
IPO
OZ