Sui Blockchain Seed Stealer: Malicious Chrome Extension Hides Mnemonic Exfiltration in Microtransactions

The Socket Threat Research Team has uncovered a highly sophisticated malicious Chrome extension posing as an Ethereum wallet, capable of silently stealing seed phrases and draining users’ cryptocurrency by hiding exfiltration inside normal-looking Sui blockchain transactions.

The extension — Safery: Ethereum Wallet — was live on the Chrome Web Store at the time of Socket’s investigation and appeared prominently in search results alongside legitimate products such as MetaMask and Enkrypt.

The extension’s Web Store listing presented itself as a trustworthy Ethereum wallet, promising fast transactions, secure key storage, and user-friendly interfaces.

Socket notes:

“Promotional images promise ‘Easy, Fast And Secure Extension’… the privacy disclosure claims the developer collects no user data and keeps private keys on the device.”

To unsuspecting users, the extension behaved like a normal wallet:

• It generated new accounts
• Imported seed phrases
• Queried balances using public Ethereum RPC endpoints
• Displayed recent activity using Etherscan or Ethplorer
• Sent ETH normally via the UI

Its search placement further boosted its credibility:

“When searching ‘Ethereum Wallet’ in the Chrome Web Store, the malicious Safery: Ethereum Wallet extension appears as the fourth result… giving it immediate visibility and a veneer of legitimacy.”

The malicious behavior begins the moment a user creates or imports a wallet. The extension encodes the victim’s BIP-39 seed phrase into synthetic Sui addresses, then sends 0.000001 SUI to those addresses from a hardcoded threat actor wallet.

The attacker-controlled mnemonic is Base64-decoded inside the extension:

“The fromBase64 decodes a hardcoded Base64 string into a twelve word mnemonic… for a threat actor-controlled Sui wallet.”

Critically, the exfiltration happens on-chain:

“The mnemonic leaves the browser concealed inside normal looking blockchain transactions.”

No HTTP requests, no C2 servers, no third-party infrastructure — just stealthy microtransactions.

Socket’s reverse engineering sheds light on the encoder/decoder mechanism:

• Each seed word is mapped to its index in the standard BIP-39 dictionary
• The indices are packed into a hex string padded to 64 characters
• The result is treated as a fake Sui address

The threat actor later reads these blockchain transactions and decodes the addresses back into the original seed.

As the report notes:

“For the threat actor, each recipient address encodes the victim mnemonic. Using the same decoder embedded in the extension, the threat actor reconstructs the seed phrase word by word.”

Unlike typical credential-stealing malware, Safery avoids anything that might trigger browser warnings or detection systems.

Socket highlights:

“The seed never travels in plaintext over HTTP, and no central command and control (C2) server is required. Exfiltration occurs entirely within normal looking blockchain traffic.”

Socket has already notified Google. However, as of the report’s publication, the extension remained live and downloadable, posing an immediate threat to users seeking lightweight crypto wallets.

Related Posts:

• Malicious Packages Stealing Crypto Credentials: A Warning for Developers
• Malicious npm Package Targets TON Wallet Users, Stealing Cryptocurrency Keys
• Google Play Store Alert: New Phishing Apps Bypass Security, Stealing Crypto Wallet Seeds
• Crypto Tax Scam Sweeps Europe: Fake Government Sites Drain Wallets Via Seed Phrase Theft & Malicious Web3