Security

Malicious Wallet Extension Steals Seed Phrases via Covert Sui Microtransactions

A malicious browser extension covertly exfiltrates user seed phrases by encoding them into negligible Sui microtransactions, enabling silent, total asset compromise.
November 16, 20253 min

The close-up perspective reveals a series of metallic gears and sprockets, gleaming under focused light, with dynamic streams of translucent blue liquid or energy flowing between and around them. The composition emphasizes intricate mechanical interplay and fluid movement against a soft, gradient background
The image presents a close-up of a futuristic device featuring a translucent casing over a dynamic blue internal structure. A central, brushed metallic button is precisely integrated into the surface

Briefing

A sophisticated supply chain attack identifies a malicious Chrome extension, “Safery → Ethereum Wallet,” covertly stealing users’ private keys upon wallet creation or import. The primary consequence is the total, non-custodial compromise of all assets tied to the victim’s mnemonic, making the threat actor’s access persistent and undetectable by standard transaction monitoring. The exploit’s most critical technical detail is the encoding of the BIP-39 mnemonic into synthetic Sui addresses, which are then exfiltrated via a microtransaction of only 0.000001 SUI. This technique bypasses traditional security alerts and provides the attacker with full, perpetual control over the victim’s funds.

A central, white toroidal shape intersects a cluster of blue, crystalline structures, surrounded by luminous white spheres encased in transparent, faceted shells. This abstract representation visualizes a sophisticated cryptographic nexus, likely symbolizing the core architecture of a decentralized ledger technology DLT or a distributed autonomous organization DAO

Context

The prevailing risk for individual users remains social engineering and supply chain attacks targeting the endpoint, which consistently bypass the security layers of audited smart contracts. This vulnerability class leverages the trust users place in official application stores, a known weak point that offers a high-leverage entry for threat actors. The attacker’s strategy capitalizes on the human factor, which remains the weakest link in the digital asset security chain, especially when dealing with initial wallet setup and key management.

A vibrant blue spherical core, segmented by metallic lines, radiates intense internal energy resembling a decentralized data stream or transaction flow. This blockchain core is partially enveloped by soft, white, organic-like structures, symbolizing protocol layers and network security

Analysis

The attack targets the user’s endpoint, specifically the wallet creation or import process within the malicious browser extension. When a user inputs their seed phrase, the extension does not simply store it locally but executes a covert data exfiltration routine. The mnemonic is segmented and encoded into the destination addresses of a tiny, seemingly harmless 0.000001 SUI transaction. This on-chain broadcast allows the attacker to decode the fragments and reconstruct the user’s full seed phrase, granting them persistent, full access to drain the wallet at any time without the need for further interaction.

A high-tech, dark blue device showcases a prominent central brushed metal button and a smaller button on its left. A glowing blue circuit board pattern is visible beneath a transparent layer, with a translucent, wavy data stream flowing over the central button

Parameters

  • Covert Transaction Value → 0.000001 SUI – The negligible transaction amount used to exfiltrate the encoded seed phrase data on-chain.
  • Compromised Data → BIP-39 Mnemonic Seed Phrase – The master key to all assets in the affected wallet.
  • Attack Vector → Malicious Browser Extension – The software vector used to inject the data exfiltration logic into the user’s workflow.
  • Targeted Chain → Sui Blockchain – The network used to broadcast the covert data exfiltration transaction.

The image displays an intricate assembly of polished silver-toned rings, dark blue plastic connectors, and numerous thin metallic wires. These elements are tightly interwoven, creating a dense, technical composition against a blurred blue background, highlighting precision engineering

Outlook

Users must immediately revoke all approvals and transfer assets from any wallet created or imported using this or similar unverified extensions, assuming total compromise. This incident underscores the urgent need for new security standards mandating multi-signature or hardware wallet usage even for small-value accounts, as well as a zero-trust policy toward all browser-based wallet software. The industry must develop better automated methods to detect seed phrase exfiltration patterns disguised as negligible on-chain activity, as this vector is highly scalable.

A polished metallic square plate, featuring a prominent layered circular component, is securely encased within a translucent, wavy, blue-tinted material. The device's sleek, futuristic design suggests advanced technological integration

Verdict

This novel seed phrase encoding technique represents a critical escalation in individual endpoint supply chain attacks, bypassing traditional detection and necessitating a complete re-evaluation of user wallet security hygiene.

digital asset security, software supply chain, key management, non-custodial risk, wallet vulnerability, mnemonic phrase, on-chain forensics, threat intelligence, data exfiltration, user education, asset recovery, security audit, code review, protocol resilience, attack surface, risk mitigation, operational security, incident response, threat actor tactics, cyber espionage Signal Acquired from → binance.com

Micro Crypto News Feeds

supply chain attack

Definition ∞ A supply chain attack targets the software or hardware supply chain of a digital asset service or platform.

digital asset security

Definition ∞ Digital Asset Security refers to the measures and protocols implemented to protect digital assets from theft, loss, or unauthorized alteration.

browser extension

Definition ∞ A browser extension is a small software program that adds specific features to a web browser.

seed phrase

Definition ∞ A seed phrase is a sequence of words that grants access to a cryptocurrency wallet and its associated digital assets.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

data exfiltration

Definition ∞ Data Exfiltration is the unauthorized transfer of data from a computer system or network to an external location.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

compromise

Definition ∞ A 'compromise' in the digital asset space refers to an agreement reached between differing parties, often involving concessions on key points.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

Tags:

Tags: