Nov 13, 2025Ravie LakshmananBrowser Safety / Risk Intelligence
Cybersecurity researchers have uncovered a malicious Chrome extension that poses as a reliable Ethereum pockets however harbors performance to exfiltrate customers’ seed phrases.
The title of the extension is “Safery: Ethereum Pockets,” with the risk actor describing it as a “safe pockets for managing Ethereum cryptocurrency with versatile settings.” It was uploaded to the Chrome Net Retailer on September 29, 2025, and was up to date as not too long ago as November 12. It is nonetheless accessible for obtain as of writing.
“Marketed as a easy, safe Ethereum (ETH) pockets, it accommodates a backdoor that exfiltrates seed phrases by encoding them into Sui addresses and broadcasting microtransactions from a risk actor-controlled Sui pockets,” Socket safety researcher Kirill Boychenko stated.
Particularly, the malware current inside the browser add-on is designed to steal pockets mnemonic phrases by encoding them as faux Sui pockets addresses after which utilizing micro-transactions to ship 0.000001 SUI to these wallets from a hard-coded risk actor-controlled pockets.
The tip purpose of the malware is to smuggle the seed phrase inside regular wanting blockchain transactions with out the necessity for establishing a command-and-control (C2) server to obtain the data. As soon as the transactions are full, the risk actor can decode the recipient addresses to reconstruct the unique seed phrase and in the end drain property from it.
“This extension steals pockets seed phrases by encoding them as faux Sui addresses and sending micro-transactions to them from an attacker-controlled pockets, permitting the attacker to watch the blockchain, decode the addresses again to seed phrases, and drain victims’ funds,” Koi Safety notes in an evaluation.
To counter the chance posed by the risk, customers are suggested to stay to trusted pockets extensions. Defenders are advisable to scan extensions for mnemonic encoders, artificial deal with mills, and hard-coded seed phrases, in addition to block people who write on the chain throughout pockets import or creation.
“This system lets risk actors swap chains and RPC endpoints with little effort, so detections that depend on domains, URLs, or particular extension IDs will miss it,” Boychenko stated. “Deal with sudden blockchain RPC calls from the browser as excessive sign, particularly when the product claims to be single chain.”
