Fake Ethereum Wallet in Chrome Web Store Steals User Seed Phrases
A malicious browser extension masquerading as a secure Ethereum wallet has been discovered in the Chrome Web Store, ranking among the top search results and actively stealing users’ seed phrases. Blockchain security firm Socket issued the warning after analyzing the extension’s behavior and tracing its on-chain activity.
A High-Ranking “Wallet” Hiding a Backdoor
The extension, called “Safery: Ethereum Wallet,” is promoted as a simple and secure way to manage Ethereum assets. Its presentation, branding, and Chrome Store placement all mimic legitimate wallet extensions, helping it gain trust from unsuspecting users.
However, behind the interface is a programmed backdoor that captures and exfiltrates seed phrases during wallet creation or import. The malicious logic is intentionally obscured and triggered only after the user interacts with key wallet functions.
How the Theft Mechanism Works
The extension uses an unusual but clever method to transmit stolen data. Instead of sending the seed phrase directly to a remote server — which could be detected by browser security tools — it encodes the phrase into a list of fake blockchain addresses.
The extension then initiates a series of microtransactions on the Sui blockchain, sending extremely small amounts of cryptocurrency (as low as 0.000001 SUI) to these addresses. Each destination address corresponds to one element of the encoded seed phrase.
Because the attacker controls the sending wallet, they can later inspect the transaction history and reconstruct the victim’s entire seed phrase based solely on which addresses were used.
Why Attackers Use Microtransactions
This technique makes detection significantly harder. Security scanners often look for suspicious HTTPS requests, remote logs, or outbound connections. By using blockchain transactions to embed the stolen data, the extension avoids traditional monitoring paths entirely.
The cost for the attacker is negligible. Sending microtransactions across a low-fee network like Sui costs almost nothing, allowing the scam to run at scale without raising operational red flags.
Impact and User Risks
Any user who created or imported a wallet using the extension is at immediate risk of losing all assets tied to that seed phrase. Attackers can drain funds at any time once the phrase is reconstructed from the microtransaction pattern.
Security teams warn that victims may not notice the theft immediately. Many attackers wait for wallet balances to increase or for users to perform larger transfers before executing a full drain.
Why Fake Wallet Extensions Are Growing](#)
With millions of users relying on browser-based wallets, malicious extensions have become a major attack vector. Chrome Web Store rankings can be manipulated, enabling scammers to push fraudulent wallet tools into high visibility — especially when they mimic trusted branding and UI patterns.
Experts note that the rise of multi-chain ecosystems has made it easier for attackers to hide malicious activity on less monitored networks like Sui, rather than on popular chains where unusual activity might be noticed faster.
Conclusion
The discovery of the “Safery: Ethereum Wallet” extension shows that malicious actors continue to evolve their methods, using subtle blockchain microtransactions to exfiltrate sensitive data. Users are urged to rely only on verified wallet providers, review extension permissions carefully, and avoid importing seed phrases into unfamiliar tools. Even high-ranking Chrome extensions can be dangerous.
Editorial Team — CoinBotLab