Malicious Safery Chrome Extension Steals Ethereum Wallet Seed Phrases via Sui Blockchain
A malicious Chrome extension named Safery: Ethereum Wallet was discovered on the Chrome Web Store, masquerading as a legitimate Ethereum wallet while secretly exfiltrating users' seed phrases. The extension encodes the BIP-39 mnemonic seed phrases into synthetic Sui blockchain addresses and sends microtransactions (0.000001 SUI) from a hardcoded attacker-controlled wallet, embedding the sensitive information within normal-looking blockchain transactions. This method allows the threat actor to later decode the recipient addresses and reconstruct the original seed phrase, enabling them to drain victims' cryptocurrency assets without relying on a traditional command-and-control server.
Security researchers from both Socket and Koi Security analyzed the extension, confirming its backdoor functionality and detailing its technical behavior, including the use of a hardcoded Base64 wallet seed and global exposure of sensitive wallet functions in the browser. The extension remained available for download at the time of reporting, and a takedown request was submitted to Google. Users are advised to avoid untrusted wallet extensions and defenders are recommended to scan for mnemonic encoders, synthetic address generators, and suspicious on-chain writing behaviors in browser add-ons to mitigate similar threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Socket reports the malicious extension and requests Google takedown
Socket's Threat Research Team publicly disclosed the malicious extension, stating it was still live on the Chrome Web Store at the time of reporting. Socket said it submitted a takedown request to Google and asked for the publisher account to be suspended.
Safery uses Sui microtransactions to exfiltrate seed phrases
Researchers found the extension encoded victims' mnemonic seed phrases into one or two synthetic Sui-style addresses and sent 0.000001 SUI microtransactions from an attacker-controlled wallet. This allowed seed theft through on-chain activity instead of traditional HTTP exfiltration or centralized command-and-control infrastructure.
Malicious 'Safery: Ethereum Wallet' extension is published to Chrome Web Store
A Chrome extension named 'Safery: Ethereum Wallet' was published on the Chrome Web Store while masquerading as a secure Ethereum wallet. It was designed to steal users' BIP-39 seed phrases despite presenting normal wallet features such as wallet import, balance viewing, and ETH transfers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Sui Blockchain Seed Stealer: Malicious Chrome Extension Hides Mnemonic Exfiltration in Microtransactions
securityonline.info
Open sourceFake Chrome Extension "Safery" Steals Ethereum Wallet Seed Phrases Using Sui Blockchain
thehackernews.com
Open sourceChrome extension “Safery” steals Ethereum wallet seed phrases
securityaffairs.com
Open sourceMalicious Chrome Extension Exfiltrates Seed Phrases, Enabling Wallet Takeover
socket.dev
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Trust Wallet Chrome Extension Compromised Leading to Multi-Million Dollar Cryptocurrency Theft
A compromised update to the Trust Wallet Chrome extension, version 2.68.0 released on December 24, resulted in the theft of over $7 million in cryptocurrency from hundreds of users. Attackers injected malicious JavaScript code, disguised as analytics, which activated when users imported their seed phrases, exfiltrating sensitive wallet data to a domain mimicking Trust Wallet's infrastructure. The attack was first flagged by blockchain investigators and security researchers, who noted that only desktop extension users were affected, while the mobile app remained secure. Trust Wallet responded by releasing an urgent warning and a subsequent extension update, while security firms highlighted the likely supply-chain nature of the compromise. In parallel to the direct compromise, threat actors launched phishing campaigns using domains such as fix-trustwallet.com, luring affected users with promises of a vulnerability fix but instead further draining their wallets. The incident underscores the risks of supply-chain attacks on browser extensions and the sophistication of attackers, who combined technical compromise with social engineering to maximize their haul. Security analysts and blockchain investigators continue to monitor the situation, advising users to avoid the Chrome extension until further notice and to remain vigilant against related phishing attempts.
Mar 21, 2026
FakeWallet iOS Apps in Apple App Store Stole Cryptocurrency Seed Phrases
Researchers identified a **FakeWallet** campaign that placed at least **26 malicious iOS apps** in Apple’s App Store, where they impersonated well-known cryptocurrency wallets including **MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie**. The apps primarily targeted users in **China**, taking advantage of the fact that many legitimate crypto wallet apps were unavailable in the local App Store, and used typosquatting, fake branding, and phishing flows to redirect victims to browser-based credential theft pages or trojanized wallet installers. Investigators said the operation had likely been active since at least late 2025, and Apple was notified and removed several of the identified apps. The malware used multiple techniques to steal wallet secrets from both hot-wallet and cold-wallet companion apps, including **malicious `dylib` injection**, executable hooking, provisioning profiles, and **React Native code tampering**. For hot wallets, the implants scraped mnemonic seed phrases and private keys directly from wallet interfaces; for Ledger-themed variants, the apps displayed convincing in-app prompts and fake verification pages to trick users into entering recovery phrases. Stolen data was **RSA PKCS #1-encrypted**, Base64-encoded, and sent to attacker-controlled servers, and researchers assessed the activity may be linked to the **SparkKitty** threat based on shared modules, Chinese-language artifacts, similar fake App Store-style distribution, and overlapping cryptocurrency theft objectives.
Apr 24, 2026
Malicious Chrome Extension Exfiltrates MEXC API Keys via Telegram for Account Takeover
Security researchers reported a malicious Google Chrome extension, **MEXC API Automator** (`pppdfgkfdemgfknfnhpkibbkabhghhfh`), masquerading as a trading-automation tool for the **MEXC** cryptocurrency exchange. Published to the Chrome Web Store on 2025-09-01 by an actor using the alias **"jorjortan142"**, the extension targets users who visit MEXC’s API key management page (`/user/openapi`) and runs a content script (`script.js`) inside the already-authenticated browser session to create new API keys. The extension is designed to enable **withdrawal permissions** on the newly created keys while **hiding** that capability in the UI, then **exfiltrates the API key and secret** to a hardcoded **Telegram bot** controlled by the attacker. With these credentials, the actor can take programmatic control of affected accounts to execute trades and automate withdrawals, potentially draining balances reachable via MEXC. Socket stated the extension remained live on the Chrome Web Store at the time of reporting and that they notified Google; The Hacker News amplified the findings and noted the extension had limited observed downloads but could still enable direct financial theft from compromised accounts.
Mar 21, 2026