430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Chrome extension “Safery” steals Ethereum wallet seed phrases

Malicious Chrome extension “Safery: Ethereum Wallet” steals users’ seed phrases while posing as a legit crypto wallet still available online. Socket’s Threat Research Team discovered a malicious Chrome extension called “Safery: Ethereum Wallet,” posing as a legitimate crypto wallet but designed to steal users’ seed phrases. The Chrome extension was uploaded to the Chrome Web […]

Chrome extension

Malicious Chrome extension “Safery: Ethereum Wallet” steals users’ seed phrases while posing as a legit crypto wallet still available online.

Socket’s Threat Research Team discovered a malicious Chrome extension called “Safery: Ethereum Wallet,” posing as a legitimate crypto wallet but designed to steal users’ seed phrases. The Chrome extension was uploaded to the Chrome Web Store on September 29, 2025, and the last update was on November 12. It remains available for download, falsely marketed as a secure Ethereum wallet.

The malicious Safery: Ethereum Wallet appears fourth in Chrome Web Store search results for “Ethereum Wallet,” giving it visibility alongside legit wallets and increasing risk of user installation.

The Chrome Web Store lists Safery: Ethereum Wallet as user-friendly, secure, and private, claiming easy transactions and no data collection.

Researchers requested Google to remove the malicious extension and suspend the publisher’s account linked to kifagusertyna@gmail[.]com.

The fake “Safery” wallet hides stolen seed phrases in blockchain transactions. The attacker decodes recipient addresses after transactions to recover the victim’s seed phrase and steal their crypto assets.

“When a user creates or imports a wallet, Safery: Ethereum Wallet encodes the BIP-39 mnemonic into synthetic Sui style addresses, then sends 0.000001 SUI to those recipients using a hardcoded threat actor’s mnemonic.” reads the report published by cybersecurity firm Socket. “By decoding the recipients, the threat actor reconstructs the original seed phrase and can drain affected assets. The mnemonic leaves the browser concealed inside normal looking blockchain transactions.”

The extension hides a covert Sui exfiltration channel by encoding a BIP‑39 mnemonic into one or two synthetic Sui‑style addresses: it maps each seed word to its index, packs indices into hex, pads to 64 chars and prefixes 0x. Twelve‑word seeds yield one address, 24‑word seeds two. On wallet create/import the extension uses a hardcoded attacker mnemonic to send tiny SUI microtransactions to those synthetic addresses; the attacker later decodes recipients to reconstruct the exact seed. The process runs in‑memory as normal blockchain traffic (no plaintext exfiltration or C2), allowing full wallet takeover once the mnemonic is recovered.

“The malicious Safery: Ethereum Wallet extension shows that seed theft can be concealed by using public blockchains as the exfiltration channel. Any mnemonic entered into a malicious wallet can be leaked without HTTP traffic or a central C2. This technique lets threat actors switch chains and RPC endpoints with little effort, so detections that rely on domains, URLs, or specific extension IDs will miss it.” concludes the report. “Defenders should expect reuse across Sui, Solana, and EVM chains and across other wallet UIs.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome extension)