Security

Malicious Wallet Extension Uses Sui Transactions to Covertly Steal Seed Phrases

This novel on-chain exfiltration vector encodes BIP-39 mnemonics into Sui transaction recipient addresses, bypassing all conventional network monitoring.
November 14, 20253 min

A central, multi-faceted transparent and blue crystalline hub anchors a complex, interconnected system. Transparent structural elements radiate outward, connecting to intricate clear and metallic structures on the periphery, all set against a dynamic, out-of-focus blue background
A close-up reveals a sophisticated, metallic device featuring a translucent blue screen displaying intricate digital patterns and alphanumeric characters. A prominent silver frame with a central button accents the front, suggesting an interactive interface for user input and transaction confirmation

Briefing

A sophisticated supply chain attack has been identified via a malicious Chrome extension, “Safery → Ethereum Wallet,” which covertly steals user seed phrases upon wallet creation or import. This threat enables full wallet takeover by encoding the victim’s BIP-39 mnemonic into synthetic Sui blockchain addresses and exfiltrating the data via tiny, legitimate-looking microtransactions. The attack’s core innovation is its complete evasion of HTTP-based network monitoring, utilizing the Sui network to broadcast the stolen seed phrase in the recipient field of a 0.000001 SUI transaction.

The intricate design showcases a futuristic device with a central, translucent blue optical component, surrounded by polished metallic surfaces and subtle dark blue accents. A small orange button is visible, hinting at interactive functionality within its complex architecture

Context

The prevailing risk landscape for individual digital asset holders remains dominated by social engineering and supply chain compromises targeting the user endpoint. Before this incident, the primary class of wallet-draining vulnerability involved phishing sites or direct injection of JavaScript to send plaintext seed phrases over unencrypted HTTP channels to a central Command-and-Control (C2) server. This reliance on centralized C2 infrastructure was a known choke point for security firms, which this new on-chain exfiltration technique was explicitly designed to bypass.

The image showcases a sophisticated, brushed metallic device with a prominent, glowing blue central light, set against a softly blurred background of abstract, translucent forms. A secondary, circular blue-lit component is visible on the device's side, suggesting multiple functional indicators

Analysis

The attack vector is a malicious browser extension that successfully infiltrated the Chrome Web Store and achieved a high search ranking, lending it a false veneer of legitimacy. When a user enters their mnemonic, the extension’s embedded logic converts the BIP-39 word list into a sequence of numeric indices. This sequence is then packed into a hexadecimal string, which is formatted as one or two valid Sui blockchain addresses. The extension then executes a microtransaction of 0.000001 SUI from a hardcoded attacker-controlled wallet to these mnemonic-encoded addresses, thereby using the public, immutable blockchain ledger as a covert, decentralized data exfiltration channel.

A sophisticated abstract mechanism displays a vibrant blue glowing core surrounded by metallic structures and interconnected white spherical nodes. Thin dark wires connect these nodes, with a large white ring partially enclosing the central element, all set against a blurred blue and white background

Parameters

  • Attack Vector → Malicious Chrome Extension (Safery → Ethereum Wallet)
  • Exfiltration MethodSeed phrase encoded into Sui transaction recipient address
  • Exfiltration ChannelSui Blockchain Microtransaction
  • Exfiltration Cost → 0.000001 SUI per transaction (The negligible cost of the on-chain data transfer)
  • Targeted Asset → BIP-39 Mnemonic Seed Phrases (Granting control over all derived Ethereum assets)

The image displays an abstract, spherical mechanism composed of concentric blue rings and internal spheres, all heavily covered in white frost and ice crystals. Cloud-like formations billow around the central elements, enhancing the cold, intricate aesthetic

Outlook

Immediate mitigation requires all users to audit their browser extensions, uninstall any unknown or unverified wallet applications, and immediately migrate assets from any wallet whose seed phrase was ever entered into a third-party extension. The emergence of on-chain data exfiltration establishes a new, critical security best practice → protocols must now monitor for suspicious, cross-chain microtransactions, and security auditors must treat any unexpected blockchain RPC calls from a front-end as a high-signal threat. This incident signals a strategic shift where threat actors are moving from traditional web-based C2 infrastructure to utilizing the native, decentralized properties of blockchains for covert operations.

A high-fidelity render displays a futuristic, grey metallic device featuring a central, glowing blue crystalline structure. The device's robust casing is detailed with panels, screws, and integrated components, suggesting a highly engineered system

Verdict

This innovative attack vector represents a significant escalation in supply chain risk, proving that threat actors can now leverage the immutability of a public ledger to create a decentralized, undetectable seed phrase exfiltration channel.

Seed phrase theft, Mnemonic exfiltration, Supply chain attack, Malicious extension, On-chain data leak, Covert communication, Browser wallet risk, BIP-39 compromise, Cross-chain stealth, Microtransaction exploit, Web3 security model, Private key exposure, Wallet drainer, User asset risk, Decentralized attack, Transaction encoding, Data concealment, Frontend vulnerability, Phishing vector, Digital asset security. Signal Acquired from → gbhackers.com

Micro Crypto News Feeds

supply chain attack

Definition ∞ A supply chain attack targets the software or hardware supply chain of a digital asset service or platform.

digital asset

Definition ∞ A digital asset is a digital representation of value that can be owned, transferred, and traded.

data exfiltration

Definition ∞ Data Exfiltration is the unauthorized transfer of data from a computer system or network to an external location.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

seed phrase

Definition ∞ A seed phrase is a sequence of words that grants access to a cryptocurrency wallet and its associated digital assets.

sui blockchain

Definition ∞ The Sui blockchain is a novel, permissionless Layer-1 blockchain designed for high throughput and low latency.

on-chain data

Definition ∞ On-chain data comprises all transactional information recorded and publicly verifiable on a blockchain ledger.

seed phrases

Definition ∞ Seed phrases, also known as recovery phrases or mnemonic phrases, are a sequence of words that can be used to generate and restore a cryptocurrency wallet.

decentralized

Definition ∞ Decentralized describes a system or organization that is not controlled by a single central authority.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

Tags:

Tags: