A deceptive Chrome extension named Safery: Ethereum Wallet has emerged as a serious threat to cryptocurrency users.
Published on the Chrome Web Store on November 12, 2024, this extension masquerades as a secure Ethereum wallet while secretly stealing user seed phrases.
The malware’s sophisticated design allows attackers to gain complete control over victims’ cryptocurrency wallets and drain their digital assets.
The extension operates with a cunning approach to theft. When users create or import a wallet, the extension extracts their seed phrase and encodes it into synthetic Sui blockchain addresses.
It then broadcasts tiny microtransactions of 0.000001 SUI to these encoded addresses from a threat actor-controlled wallet. To observers, these appear as normal blockchain activity, but they actually contain hidden user data.
Socket.dev security analysts identified the malicious extension and discovered its evasive tactics.
The researchers noted that the backdoor uses BIP-39 mnemonic encoding, transforming each seed phrase word into numeric indices and packing them into hexadecimal strings that resemble legitimate Sui wallet addresses.
.webp "Malicious Chrome Extension as Ethereum Wallet Enables Full Wallet Takeover 3")
This clever approach hides data within blockchain transactions, eliminating the need for traditional command-and-control servers.
Technical Mechanism
The technical mechanism reveals the extension’s sophistication. When examining the extension code, analysts found it loads a standard wordlist, maps each word to its index, and constructs synthetic addresses prefixed with “0x”.
A paired decoder embedded in the malware allows the threat actor to reverse this process, reconstructing the original seed phrase word by word.
The code silently executes these operations after a user enters their seed phrase, sending exfiltration data across the blockchain before completing the login process.
The threat proves especially dangerous because the extension appears legitimate on the Chrome Web Store. Users searching for Ethereum wallets find it listed as the fourth result alongside trusted alternatives like MetaMask and Enkrypt, lending it false credibility.
Once a victim installs the extension and imports their wallet, the attacker gains access to all derived Ethereum private keys and can transfer all assets to their own addresses, resulting in complete financial compromise.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
