Socket’s Threat Research Team has uncovered a malicious Chrome extension, Safery: Ethereum Wallet, that secretly exfiltrates user seed phrases using blockchain transactions on the Sui network.
Published on November 12, 2024, the extension masquerades as a simple and secure Ethereum (ETH) wallet but hides a sophisticated backdoor that can reconstruct victims’ mnemonics and compromise their assets.
Marketed with claims of privacy and device‑side key storage, the extension presents itself as a legitimate Ethereum wallet.
It allows users to create or import accounts, check balances via public RPC endpoints, and send ETH via interfaces similar to those of popular wallets like MetaMask and Enkrypt. However, deeper analysis by Socket AI Scanner reveals covert data exfiltration occurring during wallet setup.
A Covert Blockchain‑Based Exfiltration Technique
When a user imports or creates a wallet, Safery: Ethereum Wallet encodes the BIP‑39 mnemonic into one or two synthetic Sui‑style addresses. The extension loads a standard word list, converts each phrase word into its corresponding index, and packs these indices into a hexadecimal string.
This string is then padded and prefixed with “0x,” forming addresses that appear valid on the Sui blockchain.
SaferyEach time this process runs, the extension broadcasts tiny 0.000001 SUI transactions using a hardcoded threat‑actor mnemonic, decoded from a Base64 string within the JavaScript source. The attacker’s wallet sends these microtransactions to the encoded recipient addresses.
Because the destination fields contain the embedded mnemonic data, the attacker can later decode them to recover the victim’s seed phrase with precision.
No HTTP traffic or command‑and‑control (C2) servers are involved; exfiltration occurs entirely on-chain, disguised within normal‑looking blockchain activity. This approach enables persistence and evasion across RPC endpoints, making conventional detection methods based on network traffic or domain analysis ineffective.
Risks, Impact, and Defensive Measures
With a recovered mnemonic, attackers can instantly duplicate user wallets, derive Ethereum private keys, and transfer assets without user awareness. The malicious extension remains live on the Chrome Web Store at the time of discovery; Socket has submitted a takedown request to Google.
Security experts advise installing browser wallets only from verified publishers and monitoring extensions for suspicious blockchain calls. Unpack and inspect any extension that writes on the chain during wallet creation, uses hardcoded seeds, or contains mnemonic encoder logic.
Socket recommends integrating its Chrome extension protection platform to enforce installation allowlists, alert on risky permissions, and detect hidden exfiltration patterns before extensions reach end‑user browsers.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.webp?resize=1068,580&ssl=1&description=Ethereum Wallet Compromise - Socket’s Threat Research Team has uncovered a malicious Chrome extension, Safery: Ethereum Wallet, that secretly){kind=link}