Skip to main content
Security

Malicious Wallet Extension Uses Sui Transactions to Covertly Steal Seed Phrases

This novel on-chain exfiltration vector encodes BIP-39 mnemonics into Sui transaction recipient addresses, bypassing all conventional network monitoring.
November 14, 20253 min

A metallic, silver-toned electronic component, featuring intricate details and connection points, is partially enveloped by a translucent, vibrant blue, fluid-like substance. The substance forms a protective, organic-looking casing around the component, with light reflecting off its glossy surfaces, highlighting its depth and smooth contours against a soft grey background
A sleek, high-tech portable device is presented at an angle, featuring a prominent translucent blue top panel. This panel reveals an array of intricate mechanical gears, ruby bearings, and a central textured circular component, all encased within a polished silver frame

Briefing

A sophisticated supply chain attack has been identified via a malicious Chrome extension, “Safery ∞ Ethereum Wallet,” which covertly steals user seed phrases upon wallet creation or import. This threat enables full wallet takeover by encoding the victim’s BIP-39 mnemonic into synthetic Sui blockchain addresses and exfiltrating the data via tiny, legitimate-looking microtransactions. The attack’s core innovation is its complete evasion of HTTP-based network monitoring, utilizing the Sui network to broadcast the stolen seed phrase in the recipient field of a 0.000001 SUI transaction.

A highly detailed render showcases intricate glossy blue and lighter azure bands dynamically interwoven around dark, metallic, rectangular modules. The reflective surfaces and precise engineering convey a sense of advanced technological design and robust construction

Context

The prevailing risk landscape for individual digital asset holders remains dominated by social engineering and supply chain compromises targeting the user endpoint. Before this incident, the primary class of wallet-draining vulnerability involved phishing sites or direct injection of JavaScript to send plaintext seed phrases over unencrypted HTTP channels to a central Command-and-Control (C2) server. This reliance on centralized C2 infrastructure was a known choke point for security firms, which this new on-chain exfiltration technique was explicitly designed to bypass.

A futuristic, ice-covered device with glowing blue internal mechanisms is prominently displayed, featuring a large, moon-like sphere at its core. The intricate structure is partially obscured by frost, highlighting both its advanced technology and its cold, secure nature

Analysis

The attack vector is a malicious browser extension that successfully infiltrated the Chrome Web Store and achieved a high search ranking, lending it a false veneer of legitimacy. When a user enters their mnemonic, the extension’s embedded logic converts the BIP-39 word list into a sequence of numeric indices. This sequence is then packed into a hexadecimal string, which is formatted as one or two valid Sui blockchain addresses. The extension then executes a microtransaction of 0.000001 SUI from a hardcoded attacker-controlled wallet to these mnemonic-encoded addresses, thereby using the public, immutable blockchain ledger as a covert, decentralized data exfiltration channel.

The image presents a close-up of a futuristic device featuring a translucent casing over a dynamic blue internal structure. A central, brushed metallic button is precisely integrated into the surface

Parameters

  • Attack Vector ∞ Malicious Chrome Extension (Safery ∞ Ethereum Wallet)
  • Exfiltration MethodSeed phrase encoded into Sui transaction recipient address
  • Exfiltration ChannelSui Blockchain Microtransaction
  • Exfiltration Cost ∞ 0.000001 SUI per transaction (The negligible cost of the on-chain data transfer)
  • Targeted Asset ∞ BIP-39 Mnemonic Seed Phrases (Granting control over all derived Ethereum assets)

The image showcases a high-tech device, featuring a prominent, faceted blue gem-like component embedded within a brushed metallic and transparent casing. A slender metallic rod runs alongside, emphasizing precision engineering and sleek design

Outlook

Immediate mitigation requires all users to audit their browser extensions, uninstall any unknown or unverified wallet applications, and immediately migrate assets from any wallet whose seed phrase was ever entered into a third-party extension. The emergence of on-chain data exfiltration establishes a new, critical security best practice ∞ protocols must now monitor for suspicious, cross-chain microtransactions, and security auditors must treat any unexpected blockchain RPC calls from a front-end as a high-signal threat. This incident signals a strategic shift where threat actors are moving from traditional web-based C2 infrastructure to utilizing the native, decentralized properties of blockchains for covert operations.

The image showcases a detailed, abstract technological structure featuring prominent blue casing, metallic silver components, and black wiring, all against a plain backdrop. This intricate assembly evokes the complex architecture of modern cryptocurrency networks and their underlying blockchain technology

Verdict

This innovative attack vector represents a significant escalation in supply chain risk, proving that threat actors can now leverage the immutability of a public ledger to create a decentralized, undetectable seed phrase exfiltration channel.

Seed phrase theft, Mnemonic exfiltration, Supply chain attack, Malicious extension, On-chain data leak, Covert communication, Browser wallet risk, BIP-39 compromise, Cross-chain stealth, Microtransaction exploit, Web3 security model, Private key exposure, Wallet drainer, User asset risk, Decentralized attack, Transaction encoding, Data concealment, Frontend vulnerability, Phishing vector, Digital asset security. Signal Acquired from ∞ gbhackers.com

Micro Crypto News Feeds

supply chain attack

Definition ∞ A supply chain attack targets the software or hardware supply chain of a digital asset service or platform.

digital asset

Definition ∞ A digital asset is a digital representation of value that can be owned, transferred, and traded.

data exfiltration

Definition ∞ Data Exfiltration is the unauthorized transfer of data from a computer system or network to an external location.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

seed phrase

Definition ∞ A seed phrase is a sequence of words that grants access to a cryptocurrency wallet and its associated digital assets.

sui blockchain

Definition ∞ The Sui blockchain is a novel, permissionless Layer-1 blockchain designed for high throughput and low latency.

on-chain data

Definition ∞ On-chain data comprises all transactional information recorded and publicly verifiable on a blockchain ledger.

seed phrases

Definition ∞ Seed phrases, also known as recovery phrases or mnemonic phrases, are a sequence of words that can be used to generate and restore a cryptocurrency wallet.

decentralized

Definition ∞ Decentralized describes a system or organization that is not controlled by a single central authority.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

Tags:

Tags: