Blockchain security firm Socket has issued an urgent warning about a malicious crypto wallet extension circulating on the Google Chrome Web Store. The firm alerted users that the tool is actively stealing seed phrases through a sophisticated backdoor mechanism.
The extension, titled “Safery: Ethereum Wallet,” promotes itself as a secure and user-friendly way to manage Ethereum assets. However, Socket’s Threat Research Team states that it is engineered to covertly drain user funds.
How the Malicious Extension Operates
According to a Tuesday report from Socket, the extension, which was published on November 12, 2024, functions as a Trojan wallet.
While it appears to operate like a typical Ethereum browser extension, it secretly exfiltrates users’ BIP-39 seed phrases. This is achieved by encoding them into synthetic Sui-style addresses and sending tiny microtransactions worth 0.000001 SUI from a threat-actor-controlled wallet.
By decoding these recipient addresses, attackers can fully reconstruct the victim’s seed phrase and take control of their assets at any time.
This exfiltration process occurs the moment a user creates a new wallet or imports an existing one. In both scenarios, the seed phrase is immediately transmitted through disguised on-chain activity, leaving no obvious signs of compromise.
Socket notes that the mnemonic "leaves the browser concealed inside normal-looking blockchain transactions," making detection extremely difficult without specialized analysis.
Visibility and Deceptive Marketing
Despite its malicious nature, Safery: Ethereum Wallet is currently listed as the fourth result when users search for “Ethereum Wallet” on the Chrome Web Store. It appears alongside reputable extensions such as MetaMask and Enkrypt, giving it significant visibility and an air of legitimacy.
The listing includes polished marketing claims such as “Easy, Fast and Secure Extension.” It also promises privacy protections and states that private keys remain on-device, claims that are directly contradicted by its hidden backdoor.
Socket’s analysis shows that the extension behaves convincingly like a real Ethereum wallet. It supports balance checks, transaction history via Etherscan or Ethplorer, and standard ETH transfers.
This realistic interface increases the likelihood that unsuspecting users will trust it with their seed phrases.
Security Recommendations
Security researchers are urging users to immediately avoid or uninstall the Safery extension. They also advise users to verify the authenticity of any crypto wallet tools before installation.