Malicious Chrome Extension Disguised as Crypto Wallet Steals Seed Phrases via On-Chain Exfiltration
Security researchers have uncovered a fraudulent Chrome extension masquerading as an Ethereum wallet, which silently steals users’ seed phrases and transfers them to attacker-controlled wallets by embedding them in Sui blockchain transactions. The threat underscores rising risks for crypto users from browser-based wallets.
Coinccino 
Market Context
As the crypto ecosystem grows, browser-based wallet extensions remain a popular entry point for users — but also a lucrative target for attackers. With the value of assets held in such wallets expanding, malicious actors are increasingly leveraging sophisticated techniques (e.g., seed-phrase exfiltration, blockchain-based payloads) that are harder to detect through conventional security measures. Consumer awareness and wallet extension regulation are now critical facets of the market’s security posture.
Technical Details with Attribution
- The extension, called “Safery: Ethereum Wallet”, was listed in the Chrome Web Store and presented as a normal ETH wallet tool.
- Behind the scenes, when a user created or imported a wallet, the extension encoded the 12- or 24-word BIP-39 mnemonic into one or more synthetic Sui-style addresses, then silently sent micro-transactions (≈ 0.000001 SUI) from an attacker-controlled account to those addresses. This allowed the attacker to reconstruct the seed phrase from the recipient addresses.
- The extension’s code also exposed a global function , giving the attacker full access to the victim’s wallet once the seed was reconstructed.
- The technique bypasses standard data-leak detection (e.g., network traffic monitoring) because all data exfiltration occurs via normal-looking blockchain transactions rather than conventional C2 (command & control) servers.
Analyst Perspectives
Some security specialists believe this attack demonstrates how malicious actors are becoming more creative and subtle — using public blockchains as stealth channels for exfiltration rather than relying on suspicious HTTP traffic. The event may pressure wallet-extension developers to adopt rigorous audits, code-verification and permission minimalism.
Others caution that while the exploit is technically impressive, its actual impact may be limited by user awareness and upgrade cycles — many users may already employ hardware wallets, and browser‐extension installs can be monitored. Still, the attack raises the risk-bar for all users, especially those using lesser-known extensions.
Global Impact Note
Since browser wallet extensions are used globally, this kind of attack is a reminder that regulatory and security standards for extensions are lagging compared to traditional financial software. Users in regions such as India, Southeast Asia and Latin America — where crypto access via browser tools is high — may be especially vulnerable. The incident may drive regulators to consider stricter extension-store vetting or disclaimers for crypto-wallet tools worldwide.
