
Briefing
The malicious “Safery → Ethereum Wallet” Chrome extension successfully compromised user-side security through a sophisticated supply chain attack, leading to the complete loss of control over imported and newly created wallets. This threat is critical because the extension covertly exfiltrates the user’s seed phrase by encoding it into synthetic Sui addresses and broadcasting microtransactions, a method that evades standard network traffic monitoring. The fraudulent application achieved a dangerous level of visibility, ranking fourth in Chrome Web Store searches for “Ethereum Wallet” alongside legitimate providers.

Context
The prevailing risk in the user-facing Web3 ecosystem remains the lack of due diligence against social engineering and the inherent trust placed in application store listings. This attack surface is exacerbated by the ease with which sophisticated malware can mimic legitimate tools and bypass manual review processes, exploiting the user’s reliance on platform-verified applications. The primary defense layer, the browser environment, is consistently targeted as the weakest link in the chain of custody for private keys.

Analysis
The exploit’s technical core is its on-chain command-and-control (C2) mechanism, which requires no external HTTP communication, thus avoiding typical network-level detection. When a user creates or imports a wallet, the extension’s malicious code encodes the BIP-39 mnemonic into a series of synthetic Sui-style addresses. A hardcoded attacker-controlled wallet then broadcasts minute 0.000001 SUI transactions to these unique recipient addresses. By monitoring the Sui blockchain, the attacker can precisely decode the recipient address data to reconstruct the victim’s full seed phrase, achieving silent, complete wallet compromise.

Parameters
- Vulnerability Class → Supply Chain Attack via Malicious Browser Extension.
- Exfiltration Method → Seed Phrase Encoding into Sui Addresses via Microtransactions.
- Affected Component → User-side Browser Environment and BIP-39 Mnemonic Generation/Import Logic.
- Market Placement → Ranked 4th in Chrome Web Store search results for “Ethereum Wallet,” lending false legitimacy.

Outlook
Immediate mitigation requires all users to audit their browser extensions and immediately migrate assets from any wallet created or imported via unverified sources. This incident establishes a new best practice for security auditing → a requirement to scan all client-side code for mnemonic encoders and hidden on-chain exfiltration logic, specifically targeting multi-chain address generation and microtransaction broadcasting. The industry must now address the systemic risk of malicious supply chain attacks via major app stores.

Verdict
This novel on-chain exfiltration technique represents a critical evolution in wallet-draining malware, confirming that the user’s browser environment is the most vulnerable frontier in digital asset security.
