Chrome extension Safery steals seed phrases using Sui

The extension, called “Safery: Ethereum Wallet,” encodes victims’ BIP-39 mnemonics into Sui blockchain microtransactions so the attacker can reconstruct the seed from on-chain data and drain funds.

Blockchain security company Socket’s threat research team detailed how the extension exfiltrates secrets without a traditional command-and-control server. When a user creates or imports a wallet, Safery converts each seed phrase into one or two synthetic Sui-style addresses, then sends 0.000001 SUI to those addresses from an attacker-controlled wallet. Because each recipient address encodes the victim’s mnemonic, the operator can decode the transactions later and recover the exact seed words. The team says the technique lets the theft hide inside normal blockchain traffic, avoiding domain- or IP-based detections.

Researchers say the malicious extension was available on the Chrome Web Store as of this week and appeared as the fourth result for “Ethereum Wallet,” alongside legitimate tools like MetaMask and Enkrypt, increasing the risk that ordinary users would install it from search rather than a verified publisher page. Cointelegraph’s write-up, citing Socket, likewise warned that the add-on was live and marketed as a “reliable and secure” ETH wallet despite the backdoor.

Technical indicators published by Socket identify the extension as “Safery: Ethereum Wallet” with the Chrome extension ID fibemlnkopkeenmmgcfohhcdbkhgbolo and a publisher contact of kifagusertyna@gmail[.]com. The code exposes a global function that logs in only after the hidden Sui transactions complete, includes a hard-coded Base64 mnemonic for the attacker’s Sui wallet, and uses the public Sui RPC at https://sui-rpc.publicnode.com to broadcast the micro-payments. Socket’s scanner also flagged elevated permission requests and dynamic code execution, consistent with malicious extension behavior.

The impact hinges on which wallets users imported into Safery. Any seed phrase entered into the extension — whether for MetaMask-derived Ethereum accounts or other EVM wallets — can be reconstructed by the attacker and used to derive private keys and sweep assets. Although the technique uses the Sui network as the exfiltration channel, the theft targets the victim’s Ethereum-compatible wallets because the BIP-39 mnemonic is chain-agnostic. That means users who typed a seed into Safery should assume full compromise of any accounts derived from that phrase.

Its distribution pattern matches broader trends in browser-based crypto theft: malicious extensions seeded via search results and storefront rankings, with later code updates adding data-stealing functionality. Researchers have documented similar campaigns on other browsers, including a 2025 wave of wallet-impersonating add-ons on Mozilla’s store, and earlier purges of dozens of Chrome extensions designed to capture wallet secrets. The Safery case adds a twist by shifting exfiltration into public-chain transactions rather than posting to a server.

In a plain-English takeaway for U.S. users: if you installed “Safery: Ethereum Wallet,” remove it, treat any seed phrases you entered as burned, and move assets to new wallets generated from fresh, offline-created mnemonics. Socket says it has asked Google to pull the listing and suspend the publisher; at publication time (November 14, 2025), researchers reported the extension still live and visible in store search.