Security

Malicious Wallet Extension Uses Sui Transactions to Covertly Steal Seed Phrases

This novel on-chain exfiltration vector encodes BIP-39 mnemonics into Sui transaction recipient addresses, bypassing all conventional network monitoring.
November 14, 20253 min

A detailed view presents a complex, cubic technological device featuring intricate blue and black components, surrounded by interconnected cables. The central element on top is a blue circular dial with a distinct logo, suggesting a high-level control or identification mechanism
The image prominently features a clear, segmented cylindrical vessel filled with a blue, bubbly liquid, alongside a transparent rod extending from its core. This apparatus rests on a surface displaying vibrant blue waveform graphics against a dark background, with blurred metallic components in the periphery

Briefing

A sophisticated supply chain attack has been identified via a malicious Chrome extension, “Safery → Ethereum Wallet,” which covertly steals user seed phrases upon wallet creation or import. This threat enables full wallet takeover by encoding the victim’s BIP-39 mnemonic into synthetic Sui blockchain addresses and exfiltrating the data via tiny, legitimate-looking microtransactions. The attack’s core innovation is its complete evasion of HTTP-based network monitoring, utilizing the Sui network to broadcast the stolen seed phrase in the recipient field of a 0.000001 SUI transaction.

A central, multi-faceted transparent and blue crystalline hub anchors a complex, interconnected system. Transparent structural elements radiate outward, connecting to intricate clear and metallic structures on the periphery, all set against a dynamic, out-of-focus blue background

Context

The prevailing risk landscape for individual digital asset holders remains dominated by social engineering and supply chain compromises targeting the user endpoint. Before this incident, the primary class of wallet-draining vulnerability involved phishing sites or direct injection of JavaScript to send plaintext seed phrases over unencrypted HTTP channels to a central Command-and-Control (C2) server. This reliance on centralized C2 infrastructure was a known choke point for security firms, which this new on-chain exfiltration technique was explicitly designed to bypass.

A highly detailed render showcases intricate glossy blue and lighter azure bands dynamically interwoven around dark, metallic, rectangular modules. The reflective surfaces and precise engineering convey a sense of advanced technological design and robust construction

Analysis

The attack vector is a malicious browser extension that successfully infiltrated the Chrome Web Store and achieved a high search ranking, lending it a false veneer of legitimacy. When a user enters their mnemonic, the extension’s embedded logic converts the BIP-39 word list into a sequence of numeric indices. This sequence is then packed into a hexadecimal string, which is formatted as one or two valid Sui blockchain addresses. The extension then executes a microtransaction of 0.000001 SUI from a hardcoded attacker-controlled wallet to these mnemonic-encoded addresses, thereby using the public, immutable blockchain ledger as a covert, decentralized data exfiltration channel.

A translucent, frosted rectangular module displays two prominent metallic circular buttons, set against a dynamic backdrop of flowing blue and reflective silver elements. This sophisticated interface represents a critical component in secure digital asset management, likely a hardware wallet designed for cold storage of private keys

Parameters

  • Attack Vector → Malicious Chrome Extension (Safery → Ethereum Wallet)
  • Exfiltration MethodSeed phrase encoded into Sui transaction recipient address
  • Exfiltration ChannelSui Blockchain Microtransaction
  • Exfiltration Cost → 0.000001 SUI per transaction (The negligible cost of the on-chain data transfer)
  • Targeted Asset → BIP-39 Mnemonic Seed Phrases (Granting control over all derived Ethereum assets)

The image showcases a high-tech device, featuring a prominent, faceted blue gem-like component embedded within a brushed metallic and transparent casing. A slender metallic rod runs alongside, emphasizing precision engineering and sleek design

Outlook

Immediate mitigation requires all users to audit their browser extensions, uninstall any unknown or unverified wallet applications, and immediately migrate assets from any wallet whose seed phrase was ever entered into a third-party extension. The emergence of on-chain data exfiltration establishes a new, critical security best practice → protocols must now monitor for suspicious, cross-chain microtransactions, and security auditors must treat any unexpected blockchain RPC calls from a front-end as a high-signal threat. This incident signals a strategic shift where threat actors are moving from traditional web-based C2 infrastructure to utilizing the native, decentralized properties of blockchains for covert operations.

A close-up view presents a high-tech mechanical assembly, featuring a central metallic rod extending from a complex circular structure. This structure comprises a textured grey ring, reflective metallic segments, and translucent outer casing elements, all rendered in cool blue-grey tones

Verdict

This innovative attack vector represents a significant escalation in supply chain risk, proving that threat actors can now leverage the immutability of a public ledger to create a decentralized, undetectable seed phrase exfiltration channel.

Seed phrase theft, Mnemonic exfiltration, Supply chain attack, Malicious extension, On-chain data leak, Covert communication, Browser wallet risk, BIP-39 compromise, Cross-chain stealth, Microtransaction exploit, Web3 security model, Private key exposure, Wallet drainer, User asset risk, Decentralized attack, Transaction encoding, Data concealment, Frontend vulnerability, Phishing vector, Digital asset security. Signal Acquired from → gbhackers.com

Micro Crypto News Feeds

supply chain attack

Definition ∞ A supply chain attack targets the software or hardware supply chain of a digital asset service or platform.

digital asset

Definition ∞ A digital asset is a digital representation of value that can be owned, transferred, and traded.

data exfiltration

Definition ∞ Data Exfiltration is the unauthorized transfer of data from a computer system or network to an external location.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

seed phrase

Definition ∞ A seed phrase is a sequence of words that grants access to a cryptocurrency wallet and its associated digital assets.

sui blockchain

Definition ∞ The Sui blockchain is a novel, permissionless Layer-1 blockchain designed for high throughput and low latency.

on-chain data

Definition ∞ On-chain data comprises all transactional information recorded and publicly verifiable on a blockchain ledger.

seed phrases

Definition ∞ Seed phrases, also known as recovery phrases or mnemonic phrases, are a sequence of words that can be used to generate and restore a cryptocurrency wallet.

decentralized

Definition ∞ Decentralized describes a system or organization that is not controlled by a single central authority.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

Tags:

Tags: