Security

Malicious Wallet Extension Steals Seed Phrases via Covert Sui Microtransactions

A malicious browser extension covertly exfiltrates user seed phrases by encoding them into negligible Sui microtransactions, enabling silent, total asset compromise.
November 16, 20253 min

A close-up view reveals a high-tech device featuring a silver-grey metallic casing with prominent dark blue internal components and accents. A central, faceted blue translucent element glows brightly, suggesting active processing or energy flow within the intricate machinery
A central white sphere is meticulously held by a complex, metallic framework. This entire assembly is embedded within a textured, blue, ice-like matrix

Briefing

A sophisticated supply chain attack identifies a malicious Chrome extension, “Safery → Ethereum Wallet,” covertly stealing users’ private keys upon wallet creation or import. The primary consequence is the total, non-custodial compromise of all assets tied to the victim’s mnemonic, making the threat actor’s access persistent and undetectable by standard transaction monitoring. The exploit’s most critical technical detail is the encoding of the BIP-39 mnemonic into synthetic Sui addresses, which are then exfiltrated via a microtransaction of only 0.000001 SUI. This technique bypasses traditional security alerts and provides the attacker with full, perpetual control over the victim’s funds.

Two futuristic, cylindrical mechanical components, predominantly white and silver with transparent blue elements, are positioned in close proximity. Bright blue light emanates from the gap between them, forming concentric rings, indicating an active process or data flow

Context

The prevailing risk for individual users remains social engineering and supply chain attacks targeting the endpoint, which consistently bypass the security layers of audited smart contracts. This vulnerability class leverages the trust users place in official application stores, a known weak point that offers a high-leverage entry for threat actors. The attacker’s strategy capitalizes on the human factor, which remains the weakest link in the digital asset security chain, especially when dealing with initial wallet setup and key management.

A transparent blue, possibly resin, housing reveals internal metallic components, including a precision-machined connector and a fine metallic pin extending into the material. This sophisticated assembly suggests a specialized hardware device designed for high-security operations

Analysis

The attack targets the user’s endpoint, specifically the wallet creation or import process within the malicious browser extension. When a user inputs their seed phrase, the extension does not simply store it locally but executes a covert data exfiltration routine. The mnemonic is segmented and encoded into the destination addresses of a tiny, seemingly harmless 0.000001 SUI transaction. This on-chain broadcast allows the attacker to decode the fragments and reconstruct the user’s full seed phrase, granting them persistent, full access to drain the wallet at any time without the need for further interaction.

A cutaway view displays intricate metallic components and blue tiled structures encapsulated within a textured, frothy material. This visual metaphor illustrates a sophisticated blockchain infrastructure, highlighting its internal mechanisms and operational environment

Parameters

  • Covert Transaction Value → 0.000001 SUI – The negligible transaction amount used to exfiltrate the encoded seed phrase data on-chain.
  • Compromised Data → BIP-39 Mnemonic Seed Phrase – The master key to all assets in the affected wallet.
  • Attack Vector → Malicious Browser Extension – The software vector used to inject the data exfiltration logic into the user’s workflow.
  • Targeted Chain → Sui Blockchain – The network used to broadcast the covert data exfiltration transaction.

A metallic, cubic device with transparent blue accents and a white spherical component is partially submerged in a reflective, rippled liquid, while a vibrant blue, textured, frosty substance envelops one side. The object appears to be a sophisticated hardware wallet, designed for ultimate digital asset custody through advanced cold storage mechanisms

Outlook

Users must immediately revoke all approvals and transfer assets from any wallet created or imported using this or similar unverified extensions, assuming total compromise. This incident underscores the urgent need for new security standards mandating multi-signature or hardware wallet usage even for small-value accounts, as well as a zero-trust policy toward all browser-based wallet software. The industry must develop better automated methods to detect seed phrase exfiltration patterns disguised as negligible on-chain activity, as this vector is highly scalable.

The close-up perspective reveals a series of metallic gears and sprockets, gleaming under focused light, with dynamic streams of translucent blue liquid or energy flowing between and around them. The composition emphasizes intricate mechanical interplay and fluid movement against a soft, gradient background

Verdict

This novel seed phrase encoding technique represents a critical escalation in individual endpoint supply chain attacks, bypassing traditional detection and necessitating a complete re-evaluation of user wallet security hygiene.

digital asset security, software supply chain, key management, non-custodial risk, wallet vulnerability, mnemonic phrase, on-chain forensics, threat intelligence, data exfiltration, user education, asset recovery, security audit, code review, protocol resilience, attack surface, risk mitigation, operational security, incident response, threat actor tactics, cyber espionage Signal Acquired from → binance.com

Micro Crypto News Feeds

supply chain attack

Definition ∞ A supply chain attack targets the software or hardware supply chain of a digital asset service or platform.

digital asset security

Definition ∞ Digital Asset Security refers to the measures and protocols implemented to protect digital assets from theft, loss, or unauthorized alteration.

browser extension

Definition ∞ A browser extension is a small software program that adds specific features to a web browser.

seed phrase

Definition ∞ A seed phrase is a sequence of words that grants access to a cryptocurrency wallet and its associated digital assets.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

data exfiltration

Definition ∞ Data Exfiltration is the unauthorized transfer of data from a computer system or network to an external location.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

compromise

Definition ∞ A 'compromise' in the digital asset space refers to an agreement reached between differing parties, often involving concessions on key points.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

Tags:

Tags: