Blockchain security platform Socket has alerted users to a dangerous new crypto wallet extension on the Google Chrome Web Store that is designed to steal seed phrases and drain user assets.

The extension, named “Safery: Ethereum Wallet,” markets itself as a “reliable and secure browser extension designed for easy and efficient management” of Ethereum-based assets. However, Socket’s report reveals that it contains a hidden backdoor that exfiltrates seed phrases in a sophisticated manner.

How the Scam Works

The malicious extension uses an unusual method to steal credentials. When a user creates or imports a wallet:

1. New Wallets: If a user creates a new wallet within the extension, the BIP-39 seed phrase is encoded into Sui addresses and broadcast via microtransactions. The attacker then reconstructs the seed phrase and can access all funds.
2. Imported Wallets: If an existing wallet is imported, the seed phrase is similarly encoded and sent to the attacker-controlled wallet, compromising the user’s existing crypto holdings.

Socket explains:

“Safery: Ethereum Wallet encodes the BIP-39 mnemonic into synthetic Sui-style addresses, then sends 0.000001 SUI to those recipients using a hardcoded threat actor’s mnemonic. By decoding the recipients, the threat actor reconstructs the original seed phrase and can drain affected assets. The mnemonic leaves the browser concealed inside normal-looking blockchain transactions.”

Red Flags of the Scam Extension

Despite ranking as the fourth search result for “Ethereum Wallet” on Chrome Web Store, the extension shows multiple signs of illegitimacy:

• Zero reviews and minimal user feedback
• Grammatical errors and poor branding
• No official website or professional documentation
• Developer uses a personal Gmail account instead of an organization email

How to Protect Yourself

Crypto users are advised to take the following precautions:

• Verify legitimacy: Use well-established wallet extensions like MetaMask, Wombat, or Enkrypt.
• Never share seed phrases: Treat your mnemonic phrases as the ultimate key to your funds.
• Monitor wallet activity: Even tiny transactions can indicate malicious activity.
• Research extensions: Look for official documentation, reviews, and professional branding.

Conclusion

This scam highlights the importance of cybersecurity awareness in the crypto space. Even small mistakes, like trusting an unverified browser extension, can result in total loss of funds. Users should remain vigilant, double-check the source of crypto tools, and avoid shortcuts when managing wallets or seed phrases.