Security

Malicious Chrome Extension Steals Seed Phrases via Covert Sui Transactions

A high-ranking malicious wallet extension weaponized the Sui blockchain to covertly exfiltrate user mnemonics, bypassing traditional network monitoring.
November 15, 20253 min

A sleek, rectangular device, crafted from polished silver-toned metal and dark accents, features a transparent upper surface revealing an intricate internal mechanism glowing with electric blue light. Visible gears and precise components suggest advanced engineering within this high-tech enclosure
A highly detailed close-up reveals a sleek, metallic blue and silver mechanical device, featuring a prominent lens-like component and intricate internal structures. White, frothy foam actively surrounds and interacts with the central mechanism, suggesting a dynamic operational process within the unit

Briefing

The malicious “Safery → Ethereum Wallet” Chrome extension successfully compromised user-side security through a sophisticated supply chain attack, leading to the complete loss of control over imported and newly created wallets. This threat is critical because the extension covertly exfiltrates the user’s seed phrase by encoding it into synthetic Sui addresses and broadcasting microtransactions, a method that evades standard network traffic monitoring. The fraudulent application achieved a dangerous level of visibility, ranking fourth in Chrome Web Store searches for “Ethereum Wallet” alongside legitimate providers.

The intricate design showcases a futuristic device with a central, translucent blue optical component, surrounded by polished metallic surfaces and subtle dark blue accents. A small orange button is visible, hinting at interactive functionality within its complex architecture

Context

The prevailing risk in the user-facing Web3 ecosystem remains the lack of due diligence against social engineering and the inherent trust placed in application store listings. This attack surface is exacerbated by the ease with which sophisticated malware can mimic legitimate tools and bypass manual review processes, exploiting the user’s reliance on platform-verified applications. The primary defense layer, the browser environment, is consistently targeted as the weakest link in the chain of custody for private keys.

A close-up view reveals a polished, metallic object, possibly a hardware wallet, partially encased within a vibrant blue, translucent framework. The entire structure is visibly covered in a layer of white frost, creating a striking contrast and suggesting extreme cold

Analysis

The exploit’s technical core is its on-chain command-and-control (C2) mechanism, which requires no external HTTP communication, thus avoiding typical network-level detection. When a user creates or imports a wallet, the extension’s malicious code encodes the BIP-39 mnemonic into a series of synthetic Sui-style addresses. A hardcoded attacker-controlled wallet then broadcasts minute 0.000001 SUI transactions to these unique recipient addresses. By monitoring the Sui blockchain, the attacker can precisely decode the recipient address data to reconstruct the victim’s full seed phrase, achieving silent, complete wallet compromise.

A smooth, white sphere is embedded within a dense, spiky field of bright blue crystals and frosted white structures, all set against a backdrop of dark, metallic, circuit-like platforms. This scene visually represents the core of a digital asset or a key data point within a decentralized system, perhaps akin to a seed phrase or a critical smart contract parameter

Parameters

  • Vulnerability Class → Supply Chain Attack via Malicious Browser Extension.
  • Exfiltration MethodSeed Phrase Encoding into Sui Addresses via Microtransactions.
  • Affected Component → User-side Browser Environment and BIP-39 Mnemonic Generation/Import Logic.
  • Market Placement → Ranked 4th in Chrome Web Store search results for “Ethereum Wallet,” lending false legitimacy.

A sophisticated, transparent blue and metallic device features a central white, textured spherical component precisely engaged by a fine transparent tube. Visible through the clear casing are intricate internal mechanisms, highlighting advanced engineering

Outlook

Immediate mitigation requires all users to audit their browser extensions and immediately migrate assets from any wallet created or imported via unverified sources. This incident establishes a new best practice for security auditing → a requirement to scan all client-side code for mnemonic encoders and hidden on-chain exfiltration logic, specifically targeting multi-chain address generation and microtransaction broadcasting. The industry must now address the systemic risk of malicious supply chain attacks via major app stores.

A high-resolution, abstract rendering showcases a central, metallic lens-like mechanism surrounded by swirling, translucent blue liquid and structured conduits. This intricate core is enveloped by a thick, frothy layer of white bubbles, creating a dynamic visual contrast

Verdict

This novel on-chain exfiltration technique represents a critical evolution in wallet-draining malware, confirming that the user’s browser environment is the most vulnerable frontier in digital asset security.

Browser extension, seed phrase theft, mnemonic exfiltration, supply chain attack, social engineering, microtransaction data, on-chain C2, BIP-39 encoding, wallet compromise, digital asset security, Chrome Web Store, fraudulent application, web3 security, user-side vulnerability, Sui network addresses, micro transaction, covert data leak, asset drainage Signal Acquired from → thehackernews.com

Micro Crypto News Feeds

supply chain attack

Definition ∞ A supply chain attack targets the software or hardware supply chain of a digital asset service or platform.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

wallet compromise

Definition ∞ A wallet compromise signifies a security breach where an unauthorized party gains access to a user's private keys or recovery phrases.

browser extension

Definition ∞ A browser extension is a small software program that adds specific features to a web browser.

seed phrase

Definition ∞ A seed phrase is a sequence of words that grants access to a cryptocurrency wallet and its associated digital assets.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

digital asset security

Definition ∞ Digital Asset Security refers to the measures and protocols implemented to protect digital assets from theft, loss, or unauthorized alteration.

Tags:

Tags: