Security

Malicious Wallet Extension Steals Seed Phrases via Covert Sui Microtransactions

A malicious browser extension covertly exfiltrates user seed phrases by encoding them into negligible Sui microtransactions, enabling silent, total asset compromise.
November 16, 20253 min

A central, white toroidal shape intersects a cluster of blue, crystalline structures, surrounded by luminous white spheres encased in transparent, faceted shells. This abstract representation visualizes a sophisticated cryptographic nexus, likely symbolizing the core architecture of a decentralized ledger technology DLT or a distributed autonomous organization DAO
A metallic, cubic device with transparent blue accents and a white spherical component is partially submerged in a reflective, rippled liquid, while a vibrant blue, textured, frosty substance envelops one side. The object appears to be a sophisticated hardware wallet, designed for ultimate digital asset custody through advanced cold storage mechanisms

Briefing

A sophisticated supply chain attack identifies a malicious Chrome extension, “Safery → Ethereum Wallet,” covertly stealing users’ private keys upon wallet creation or import. The primary consequence is the total, non-custodial compromise of all assets tied to the victim’s mnemonic, making the threat actor’s access persistent and undetectable by standard transaction monitoring. The exploit’s most critical technical detail is the encoding of the BIP-39 mnemonic into synthetic Sui addresses, which are then exfiltrated via a microtransaction of only 0.000001 SUI. This technique bypasses traditional security alerts and provides the attacker with full, perpetual control over the victim’s funds.

A sophisticated, silver-toned modular device, featuring a prominent circular interface with a blue accent and various rectangular inputs, is dynamically positioned amidst a flowing, translucent blue material. The device's sleek, futuristic design suggests advanced technological capabilities, with the blue element appearing to interact with its structure

Context

The prevailing risk for individual users remains social engineering and supply chain attacks targeting the endpoint, which consistently bypass the security layers of audited smart contracts. This vulnerability class leverages the trust users place in official application stores, a known weak point that offers a high-leverage entry for threat actors. The attacker’s strategy capitalizes on the human factor, which remains the weakest link in the digital asset security chain, especially when dealing with initial wallet setup and key management.

A prominent circular metallic button is centrally positioned within a sleek, translucent blue device, revealing intricate internal components. The device's polished surface reflects ambient light, highlighting its modern, high-tech aesthetic

Analysis

The attack targets the user’s endpoint, specifically the wallet creation or import process within the malicious browser extension. When a user inputs their seed phrase, the extension does not simply store it locally but executes a covert data exfiltration routine. The mnemonic is segmented and encoded into the destination addresses of a tiny, seemingly harmless 0.000001 SUI transaction. This on-chain broadcast allows the attacker to decode the fragments and reconstruct the user’s full seed phrase, granting them persistent, full access to drain the wallet at any time without the need for further interaction.

Two futuristic, segmented blockchain nodes are visually connected by a vibrant, effervescent blue fluid. These nodes, appearing robust with metallic and white components, symbolize the core infrastructure of decentralized systems and distributed ledger technology DLT

Parameters

  • Covert Transaction Value → 0.000001 SUI – The negligible transaction amount used to exfiltrate the encoded seed phrase data on-chain.
  • Compromised Data → BIP-39 Mnemonic Seed Phrase – The master key to all assets in the affected wallet.
  • Attack Vector → Malicious Browser Extension – The software vector used to inject the data exfiltration logic into the user’s workflow.
  • Targeted Chain → Sui Blockchain – The network used to broadcast the covert data exfiltration transaction.

A striking blue and white frosted structure, resembling a dynamic splash, stands prominently on a reflective surface, surrounded by scattered granular particles. A small, clear, textured sphere is positioned in the foreground, with a larger, blurred metallic sphere in the background

Outlook

Users must immediately revoke all approvals and transfer assets from any wallet created or imported using this or similar unverified extensions, assuming total compromise. This incident underscores the urgent need for new security standards mandating multi-signature or hardware wallet usage even for small-value accounts, as well as a zero-trust policy toward all browser-based wallet software. The industry must develop better automated methods to detect seed phrase exfiltration patterns disguised as negligible on-chain activity, as this vector is highly scalable.

Two futuristic white devices with prominent blue illuminated panels are shown interacting at their core, where a bright blue energy field connects them. The devices feature metallic accents and intricate modular designs, set against a softly blurred background of abstract blue and grey technological forms

Verdict

This novel seed phrase encoding technique represents a critical escalation in individual endpoint supply chain attacks, bypassing traditional detection and necessitating a complete re-evaluation of user wallet security hygiene.

digital asset security, software supply chain, key management, non-custodial risk, wallet vulnerability, mnemonic phrase, on-chain forensics, threat intelligence, data exfiltration, user education, asset recovery, security audit, code review, protocol resilience, attack surface, risk mitigation, operational security, incident response, threat actor tactics, cyber espionage Signal Acquired from → binance.com

Micro Crypto News Feeds

supply chain attack

Definition ∞ A supply chain attack targets the software or hardware supply chain of a digital asset service or platform.

digital asset security

Definition ∞ Digital Asset Security refers to the measures and protocols implemented to protect digital assets from theft, loss, or unauthorized alteration.

browser extension

Definition ∞ A browser extension is a small software program that adds specific features to a web browser.

seed phrase

Definition ∞ A seed phrase is a sequence of words that grants access to a cryptocurrency wallet and its associated digital assets.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

data exfiltration

Definition ∞ Data Exfiltration is the unauthorized transfer of data from a computer system or network to an external location.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

compromise

Definition ∞ A 'compromise' in the digital asset space refers to an agreement reached between differing parties, often involving concessions on key points.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

Tags:

Tags: