Your digital fortune could vanish in seconds if you are not cautious enough. A seemingly innocent browser extension sits among Chrome’s top search results, quietly siphoning cryptocurrency credentials from unsuspecting victims through an ingenious scheme.
Socket, a blockchain security firm, exposed the fraudulent “Safery: Ethereum Wallet” extension on Tuesday, revealing how scammers are disguising seed phrase theft as routine blockchain activity. The malicious tool ranks fourth when users search “Ethereum Wallet” on Google’s Chrome Web Store, positioning itself just below trusted names like MetaMask and Enkrypt.
The Theft Mechanism
The malicious Chrome extension executes its theft through the following mechanism:
Your completely free resource hub designed to boost your knowledge of cryptocurrencies
When a user installs the fake extension and either creates a new wallet or imports an existing one, the extension immediately captures the user’s BIP-39 seed phrase (the 12 or 24-word master key that controls all crypto wallets).
The malicious browser extension never shows real, usable Sui wallet addresses. Instead, it deliberately creates fake—but realistic-looking—addresses that are actually invalid on the Sui blockchain. These bogus addresses are cleverly crafted by mathematically encoding (hiding inside them) the victim’s private seed phrase itself.
In other words, the fake address is not a real wallet — it’s a 32-byte encrypted copy of the victim’s seed phrase disguised as an address. The math of public-key cryptography makes this disguise almost perfect because any 32 random bytes can be turned into a valid-looking address.
The attacker then sends an extremely small “dust” transaction — typically 0.000001 SUI (a fraction of a cent) — from a wallet under their control to each of these encoded fake addresses. These micro-transactions are nearly invisible to the victim and appear harmless.
At a later time, the attacker simply examines the destination addresses of these dust transactions on the public Sui blockchain. Because each fake address contains the original seed phrase in encoded form, the attacker can reverse the process, dust code the addresses, reconstruct the victim’s real 12- or 24-word seed phrase, derive the private keys, and gain full control over all of the victim’s cryptocurrency across multiple blockchains.
In essence, the scam transforms the victim’s secret recovery phrase into public on-chain data disguised as ordinary wallet addresses, allowing the attacker to recover it at leisure and drain the wallets completely.
Despite its prominent placement, red flags abound. The extension displays zero user reviews, contains grammatical errors, lacks an official website, and lists only a Gmail address for developer contact. Security experts urge cryptocurrency holders to verify extension legitimacy, scrutinize all wallet transactions regardless of size, and stick with established platforms before entrusting them with digital assets.
