Blockchain security firm Socket has issued a warning about a malicious crypto wallet extension on Google’s Chrome Web Store that uses an unusual technique to steal users’ seed phrases and drain their assets.
The extension, named “Safery: Ethereum Wallet,” advertises itself as a “reliable and secure browser extension” for managing Ethereum-based assets.
But according to a Tuesday report from Socket, the tool is actually built to harvest seed phrases through a cleverly hidden backdoor.
“Although marketed as a simple, secure Ethereum (ETH) wallet, it includes a backdoor that extracts seed phrases by encoding them into Sui addresses and sending out microtransactions from a Sui wallet controlled by the attacker,” the report states.
Notably, it currently appears as the fourth search result for “Ethereum Wallet” on the Google Chrome Store—just a few spots below legitimate options like MetaMask, Wombat, and Enkrypt.
The extension allows users to either create a new wallet or import an existing one, exposing them to two major security risks.
In the first case, a user who creates a new wallet immediately has their seed phrase transmitted to the attacker through a small Sui-based transaction. Because the wallet is compromised from the start, the user’s funds can be drained at any time.
In the second case, if a user imports an existing wallet and enters their seed phrase, the scammers behind the extension receive it the same way—via the microtransaction—giving them full access to the user’s assets.
“When a user creates or imports a wallet, Safery: Ethereum Wallet encodes the BIP-39 mnemonic into fabricated Sui-style addresses and then sends 0.000001 SUI to those addresses using a hardcoded mnemonic controlled by the attacker,” Socket explained, adding:
“By decoding the recipients, the threat actor reconstructs the original seed phrase and can drain affected assets. The mnemonic leaves the browser concealed inside normal-looking blockchain transactions.”
How crypto users can avoid scam extensions
Although this malicious extension ranks highly in search results, several red flags clearly signal its lack of legitimacy. It has no user reviews, minimal branding, noticeable grammatical errors, no official website, and lists a developer using a simple Gmail address.
Users should always conduct thorough research before interacting with any blockchain tool or platform, handle seed phrases with extreme caution, follow strong cybersecurity practices, and prioritize reputable, well-established alternatives with verified credibility.
Because this extension operates by sending microtransactions, it’s also crucial for users to regularly review their wallet activity—since even tiny, unexpected transactions can indicate malicious behavior.
