Security

Malicious Wallet Extension Steals Seed Phrases via Covert Sui Microtransactions

A malicious browser extension covertly exfiltrates user seed phrases by encoding them into negligible Sui microtransactions, enabling silent, total asset compromise.
November 16, 20253 min

A detailed perspective showcases a high-tech module, featuring a prominent circular sensor with a brushed metallic surface, enveloped by a translucent blue protective layer. Beneath, multiple dark gray components are stacked upon a silver-toned base, with a bright blue connector plugged into its side
The image showcases a high-tech device, featuring a prominent, faceted blue gem-like component embedded within a brushed metallic and transparent casing. A slender metallic rod runs alongside, emphasizing precision engineering and sleek design

Briefing

A sophisticated supply chain attack identifies a malicious Chrome extension, “Safery → Ethereum Wallet,” covertly stealing users’ private keys upon wallet creation or import. The primary consequence is the total, non-custodial compromise of all assets tied to the victim’s mnemonic, making the threat actor’s access persistent and undetectable by standard transaction monitoring. The exploit’s most critical technical detail is the encoding of the BIP-39 mnemonic into synthetic Sui addresses, which are then exfiltrated via a microtransaction of only 0.000001 SUI. This technique bypasses traditional security alerts and provides the attacker with full, perpetual control over the victim’s funds.

A close-up view presents a high-tech mechanical assembly, featuring a central metallic rod extending from a complex circular structure. This structure comprises a textured grey ring, reflective metallic segments, and translucent outer casing elements, all rendered in cool blue-grey tones

Context

The prevailing risk for individual users remains social engineering and supply chain attacks targeting the endpoint, which consistently bypass the security layers of audited smart contracts. This vulnerability class leverages the trust users place in official application stores, a known weak point that offers a high-leverage entry for threat actors. The attacker’s strategy capitalizes on the human factor, which remains the weakest link in the digital asset security chain, especially when dealing with initial wallet setup and key management.

The image displays a white, soft, arched form resting on a jagged, dark blue rocky mass, which is partially submerged in calm, rippling blue water. Behind these elements, two angled, reflective blue planes stand, with a metallic sphere positioned between them, reflecting the surrounding forms and appearing textured with white granular material

Analysis

The attack targets the user’s endpoint, specifically the wallet creation or import process within the malicious browser extension. When a user inputs their seed phrase, the extension does not simply store it locally but executes a covert data exfiltration routine. The mnemonic is segmented and encoded into the destination addresses of a tiny, seemingly harmless 0.000001 SUI transaction. This on-chain broadcast allows the attacker to decode the fragments and reconstruct the user’s full seed phrase, granting them persistent, full access to drain the wallet at any time without the need for further interaction.

The image showcases white, angular, futuristic hardware components with bright blue, glowing data streams actively flowing between them. A prominent central module connects to a larger cylindrical structure, with numerous luminous blue filaments converging and extending outwards, representing dynamic data transmission within a high-performance system

Parameters

  • Covert Transaction Value → 0.000001 SUI – The negligible transaction amount used to exfiltrate the encoded seed phrase data on-chain.
  • Compromised Data → BIP-39 Mnemonic Seed Phrase – The master key to all assets in the affected wallet.
  • Attack Vector → Malicious Browser Extension – The software vector used to inject the data exfiltration logic into the user’s workflow.
  • Targeted Chain → Sui Blockchain – The network used to broadcast the covert data exfiltration transaction.

A futuristic white and grey modular device ejects streams of luminous blue material mixed with fine white powder onto a textured, reflective surface. Small, dark blue panels, resembling oracle network components or miniature solar arrays displaying smart contract code, are strategically placed around the central mechanism, hinting at interoperability

Outlook

Users must immediately revoke all approvals and transfer assets from any wallet created or imported using this or similar unverified extensions, assuming total compromise. This incident underscores the urgent need for new security standards mandating multi-signature or hardware wallet usage even for small-value accounts, as well as a zero-trust policy toward all browser-based wallet software. The industry must develop better automated methods to detect seed phrase exfiltration patterns disguised as negligible on-chain activity, as this vector is highly scalable.

Two white, sleek, robotic-like components are shown in close proximity, with a vibrant blue light and numerous particles emanating from the connection point between them, set against a blurred blue, fluid-like background. Splashes of blue liquid surround the modular units, suggesting an active, dynamic environment of data or energy transfer

Verdict

This novel seed phrase encoding technique represents a critical escalation in individual endpoint supply chain attacks, bypassing traditional detection and necessitating a complete re-evaluation of user wallet security hygiene.

digital asset security, software supply chain, key management, non-custodial risk, wallet vulnerability, mnemonic phrase, on-chain forensics, threat intelligence, data exfiltration, user education, asset recovery, security audit, code review, protocol resilience, attack surface, risk mitigation, operational security, incident response, threat actor tactics, cyber espionage Signal Acquired from → binance.com

Micro Crypto News Feeds

supply chain attack

Definition ∞ A supply chain attack targets the software or hardware supply chain of a digital asset service or platform.

digital asset security

Definition ∞ Digital Asset Security refers to the measures and protocols implemented to protect digital assets from theft, loss, or unauthorized alteration.

browser extension

Definition ∞ A browser extension is a small software program that adds specific features to a web browser.

seed phrase

Definition ∞ A seed phrase is a sequence of words that grants access to a cryptocurrency wallet and its associated digital assets.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

data exfiltration

Definition ∞ Data Exfiltration is the unauthorized transfer of data from a computer system or network to an external location.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

compromise

Definition ∞ A 'compromise' in the digital asset space refers to an agreement reached between differing parties, often involving concessions on key points.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

Tags:

Tags: