Ethical Hacking News
A recent discovery of a malicious Chrome extension has highlighted the importance of staying informed about emerging threats in the digital world. The "Safery: Ethereum Wallet" extension was designed to steal users' seed phrases by encoding them into Sui addresses and broadcasting microtransactions from a threat actor-controlled wallet.
The malicious Chrome extension "Safery: Ethereum Wallet" was discovered posing as a legitimate Ethereum wallet.The extension steals users' seed phrases by encoding them into Sui addresses and broadcasting microtransactions.The malware exfiltrates seed phrases using fake Sui wallet addresses and micro-transactions, making detections less effective.Users are advised to stick to trusted wallet extensions and scan for suspicious activity.Updating Google Chrome and antivirus software, as well as backing up sensitive information, can help protect against this type of malware.
Threat actors have recently discovered a malicious Chrome extension that has been uploaded to the Chrome Web Store, posing as a legitimate Ethereum wallet. The extension, titled "Safery: Ethereum Wallet," was designed to steal users' seed phrases by encoding them into Sui addresses and broadcasting microtransactions from a threat actor-controlled Sui wallet. According to cybersecurity researchers, this malware has been available for download since September 29, 2025, with recent updates until November 12, 2025.
The malware's functionality is designed to exfiltrate users' seed phrases by encoding them as fake Sui wallet addresses and then using micro-transactions to send 0.000001 SUI to those wallets from a hard-coded threat actor-controlled wallet. The end goal of the malware is to smuggle the seed phrase inside normal-looking blockchain transactions without the need for setting up a command-and-control (C2) server to receive the information.
Once the transactions are complete, the threat actor can decode the recipient addresses to reconstruct the original seed phrase and ultimately drain assets from it. Cybersecurity researchers have noted that this technique allows threat actors to switch chains and RPC endpoints with little effort, making detections reliant on domains, URLs, or specific extension IDs less effective.
To counter the risk posed by this threat, users are advised to stick to trusted wallet extensions. Defenders are recommended to scan extensions for mnemonic encoders, synthetic address generators, and hard-coded seed phrases, as well as block those that write on the chain during wallet import or creation.
In order to protect against this type of malware, it is crucial for users to stay vigilant and monitor their Chrome extensions for any suspicious activity. Additionally, users should ensure they have the latest version of Google Chrome installed and take advantage of browser updates to enhance security.
Furthermore, cybersecurity experts emphasize the importance of implementing robust security measures, such as using a reputable antivirus software and regularly backing up sensitive information.
In conclusion, this malicious Chrome extension serves as another example of the ever-evolving threat landscape in the digital world. Threat actors continually push boundaries with new techniques, highlighting the need for users to stay informed and vigilant about potential threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Malware-Exploits-Vulnerability-in-Chrome-Extension-to-Steal-Ethereum-Wallet-Seed-Phrases-ehn.shtml
https://thehackernews.com/2025/11/fake-chrome-extension-safery-steals.html
Published: Thu Nov 13 07:20:49 2025 by llama3.2 3B Q4_K_M
