Malicious Chrome Extension Steals Seed Phrases via Covert Sui Transactions ∞ Security

A series of interlinked white hexagonal modules form a structured system, with a central component emitting a powerful blue light and numerous discrete particles. The bright luminescence and ejected elements create a dynamic visual against a dark background

A polished metallic square plate, featuring a prominent layered circular component, is securely encased within a translucent, wavy, blue-tinted material. The device's sleek, futuristic design suggests advanced technological integration

Briefing

A malicious Chrome extension, masquerading as a legitimate Ethereum wallet, was discovered to be actively stealing user seed phrases, resulting in the full compromise and potential draining of all derived digital assets. This incident represents a significant escalation in supply chain attacks, as the threat actor utilized a novel, covert exfiltration method that bypasses traditional network monitoring. The core technical innovation involves encoding the victim’s mnemonic into synthetic Sui blockchain addresses and broadcasting the data via tiny 0.000001 SUI microtransactions, eliminating the need for a detectable command-and-control server.

The image showcases a sophisticated, brushed metallic device with a prominent, glowing blue central light, set against a softly blurred background of abstract, translucent forms. A secondary, circular blue-lit component is visible on the device's side, suggesting multiple functional indicators

Context

The prevailing attack surface for individual users remains the browser endpoint, where trust is often misapplied to extensions vetted by app store processes. This incident leverages the known risk of supply chain compromise, where seemingly innocuous software is injected with a malicious payload. Previously, seed phrase theft relied on plaintext HTTP exfiltration or centralized C2 infrastructure, both of which are easily flagged by security tools.

A sophisticated metallic module, characterized by intricate circuit-like engravings and a luminous blue central aperture, forms the focal point of a high-tech network. Several flexible blue cables, acting as data conduits, emanate from its core, suggesting dynamic information exchange and connectivity

Analysis

The attack vector is a malicious browser extension that executes a complex, multi-chain data smuggling operation upon wallet creation or import. The extension first extracts the user’s BIP-39 mnemonic and converts it into numeric indices, which are then packed into a hexadecimal string. This string is formatted as one or two synthetic Sui-style addresses, effectively embedding the seed phrase into the recipient field.

A hardcoded attacker-controlled wallet then initiates a microtransaction of 0.000001 SUI to these encoded addresses, using the Sui blockchain as a covert, decentralized data channel. The attacker simply monitors the Sui network for these microtransactions, decodes the recipient addresses back to the original seed phrase, and initiates a full wallet drain.

A detailed view showcases a central white modular hub with four grey connectors extending outwards. Glowing blue cubic structures, representing data streams, are visible within the connections and at the central nexus

Parameters

Exfiltration Transaction Value ∞ 0.000001 SUI – The minimal transaction amount used to broadcast the encoded seed phrase data on the Sui blockchain.
Data Encoding Standard ∞ BIP-39 Mnemonic – The standard word list utilized by the malware to convert the human-readable seed phrase into numeric indices for address encoding.
Affected Asset Consequence ∞ Full Wallet Takeover – The ultimate consequence for any user who imported a wallet, leading to the loss of all derived assets across all chains.

The image displays a complex, highly polished metallic structure, featuring interconnected, twisting dark chrome elements against a soft, blurred deep blue background illuminated by subtle bokeh lights. The intricate design suggests a sophisticated, futuristic framework

Outlook

Immediate mitigation requires users who installed the “Safery ∞ Ethereum Wallet” extension to remove it, move all assets to a new, clean wallet, and revoke all active smart contract approvals from the compromised address. The strategic takeaway for the ecosystem is the confirmation of the “blockchain-as-C2” threat model, where public ledgers are weaponized for stealthy data exfiltration. This new evasion technique mandates a shift in security best practices, requiring a greater emphasis on static and dynamic analysis of browser extension code to detect mnemonic encoding logic, synthetic address generation, and unauthorized cross-chain RPC calls.

This incident establishes a new, highly-evasive pattern for user-side compromise, demonstrating that the threat frontier has shifted from contract logic flaws to sophisticated, cross-chain endpoint malware.

browser extension malware, seed phrase theft, mnemonic encoding, blockchain exfiltration, supply chain attack, microtransaction data, cross-chain covert channel, web3 security, user endpoint compromise, wallet drainer, BIP-39 vulnerability, digital asset compromise, private key exfiltration, browser wallet risk, mnemonic phrase security, decentralized exfiltration, address encoding, app store vetting failure, endpoint malware, wallet import risk Signal Acquired from ∞ thehackernews.com