Skip to main content
Security

Malicious Wallet Extension Steals Seed Phrases via Covert Sui Microtransactions

A malicious browser extension covertly exfiltrates user seed phrases by encoding them into negligible Sui microtransactions, enabling silent, total asset compromise.
November 16, 20253 min

A striking blue and white frosted structure, resembling a dynamic splash, stands prominently on a reflective surface, surrounded by scattered granular particles. A small, clear, textured sphere is positioned in the foreground, with a larger, blurred metallic sphere in the background
A sleek, rectangular device, crafted from polished silver-toned metal and dark accents, features a transparent upper surface revealing an intricate internal mechanism glowing with electric blue light. Visible gears and precise components suggest advanced engineering within this high-tech enclosure

Briefing

A sophisticated supply chain attack identifies a malicious Chrome extension, “Safery ∞ Ethereum Wallet,” covertly stealing users’ private keys upon wallet creation or import. The primary consequence is the total, non-custodial compromise of all assets tied to the victim’s mnemonic, making the threat actor’s access persistent and undetectable by standard transaction monitoring. The exploit’s most critical technical detail is the encoding of the BIP-39 mnemonic into synthetic Sui addresses, which are then exfiltrated via a microtransaction of only 0.000001 SUI. This technique bypasses traditional security alerts and provides the attacker with full, perpetual control over the victim’s funds.

A highly detailed render showcases intricate glossy blue and lighter azure bands dynamically interwoven around dark, metallic, rectangular modules. The reflective surfaces and precise engineering convey a sense of advanced technological design and robust construction

Context

The prevailing risk for individual users remains social engineering and supply chain attacks targeting the endpoint, which consistently bypass the security layers of audited smart contracts. This vulnerability class leverages the trust users place in official application stores, a known weak point that offers a high-leverage entry for threat actors. The attacker’s strategy capitalizes on the human factor, which remains the weakest link in the digital asset security chain, especially when dealing with initial wallet setup and key management.

A futuristic white and grey modular device ejects streams of luminous blue material mixed with fine white powder onto a textured, reflective surface. Small, dark blue panels, resembling oracle network components or miniature solar arrays displaying smart contract code, are strategically placed around the central mechanism, hinting at interoperability

Analysis

The attack targets the user’s endpoint, specifically the wallet creation or import process within the malicious browser extension. When a user inputs their seed phrase, the extension does not simply store it locally but executes a covert data exfiltration routine. The mnemonic is segmented and encoded into the destination addresses of a tiny, seemingly harmless 0.000001 SUI transaction. This on-chain broadcast allows the attacker to decode the fragments and reconstruct the user’s full seed phrase, granting them persistent, full access to drain the wallet at any time without the need for further interaction.

The image displays glossy white spheres enveloped by numerous deep blue, faceted crystals. These units are interconnected by smooth white rings and thin white lines featuring small metallic orbs, set against a dark background

Parameters

  • Covert Transaction Value ∞ 0.000001 SUI – The negligible transaction amount used to exfiltrate the encoded seed phrase data on-chain.
  • Compromised Data ∞ BIP-39 Mnemonic Seed Phrase – The master key to all assets in the affected wallet.
  • Attack Vector ∞ Malicious Browser Extension – The software vector used to inject the data exfiltration logic into the user’s workflow.
  • Targeted Chain ∞ Sui Blockchain – The network used to broadcast the covert data exfiltration transaction.

Glistening blue and black geometric crystals are intricately entangled with metallic wires and dark components against a minimalist background. This composition abstractly visualizes the complex architecture of blockchain networks and the foundational cryptographic protocols that secure them

Outlook

Users must immediately revoke all approvals and transfer assets from any wallet created or imported using this or similar unverified extensions, assuming total compromise. This incident underscores the urgent need for new security standards mandating multi-signature or hardware wallet usage even for small-value accounts, as well as a zero-trust policy toward all browser-based wallet software. The industry must develop better automated methods to detect seed phrase exfiltration patterns disguised as negligible on-chain activity, as this vector is highly scalable.

The image showcases a sophisticated, brushed metallic device with a prominent, glowing blue central light, set against a softly blurred background of abstract, translucent forms. A secondary, circular blue-lit component is visible on the device's side, suggesting multiple functional indicators

Verdict

This novel seed phrase encoding technique represents a critical escalation in individual endpoint supply chain attacks, bypassing traditional detection and necessitating a complete re-evaluation of user wallet security hygiene.

digital asset security, software supply chain, key management, non-custodial risk, wallet vulnerability, mnemonic phrase, on-chain forensics, threat intelligence, data exfiltration, user education, asset recovery, security audit, code review, protocol resilience, attack surface, risk mitigation, operational security, incident response, threat actor tactics, cyber espionage Signal Acquired from ∞ binance.com

Micro Crypto News Feeds

supply chain attack

Definition ∞ A supply chain attack targets the software or hardware supply chain of a digital asset service or platform.

digital asset security

Definition ∞ Digital Asset Security refers to the measures and protocols implemented to protect digital assets from theft, loss, or unauthorized alteration.

browser extension

Definition ∞ A browser extension is a small software program that adds specific features to a web browser.

seed phrase

Definition ∞ A seed phrase is a sequence of words that grants access to a cryptocurrency wallet and its associated digital assets.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

data exfiltration

Definition ∞ Data Exfiltration is the unauthorized transfer of data from a computer system or network to an external location.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

compromise

Definition ∞ A 'compromise' in the digital asset space refers to an agreement reached between differing parties, often involving concessions on key points.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

Tags:

Tags: