Cybersecurity researchers have identified a malicious Chrome extension named “Safery: Ethereum Wallet.” This extension purports to be a safe way to store and manage your Ethereum cryptocurrency. In practice, however, it mostly serves as a tool to phish users’ wallet seed phrases. The extension uses these underhanded tactics to prey upon the most naive of Chrome browser users, furthering scary risks to crypto security.
The threat actor behind “Safery: Ethereum Wallet” describes it as a “secure wallet for managing Ethereum cryptocurrency with flexible settings.” Nonetheless, researchers from Koi Security have discovered that this claimed wallet is anything but real. Rather, it has a backdoor specifically created to steal wallet mnemonic seed phrases – the keys to all users’ crypto accounts.
How Safery Operates
“Safery: Ethereum Wallet” disguises itself as a trustworthy Ethereum wallet. Once installed, it collects users’ seed phrases and inputs them as spoofed Sui wallet addresses. The crooked extension weaponizes this encoding process to transmit miniscule transactions worth 0.000001 SUI. These transactions originate from a hard-coded wallet that the threat actor has access to.
By employing these tactics, the extension not only obfuscates its real purpose but makes detection much more difficult. Kirill Boychenko, a cybersecurity expert, noted, “This technique lets threat actors switch chains and RPC endpoints with little effort, so detections that rely on domains, URLs, or specific extension IDs will miss it.”
The malware embedded in “Safery” watches what happens on blockchain transactions and enables the attackers to reverse-engineer the addresses to decrypted seed phrases that were stolen. This allows them to gain remote access to victims’ cryptocurrency wallets and steal their money.
Risks Associated with Safery
The implications of using “Safery: Ethereum Wallet” are severe. Once the seed phrases are in the attackers’ hands, the attackers only need to click a few buttons to take over victims’ entire crypto portfolio. The use of misleading marketing tactics poses significant risks to individuals looking for legitimate tools to manage their digital assets.
Koi Security emphasized the need for vigilance among users: “This extension steals wallet seed phrases by encoding them as fake Sui addresses and sending micro-transactions to them from an attacker-controlled wallet, allowing the attacker to monitor the blockchain, decode the addresses back to seed phrases, and drain victims’ funds.”
Cybersecurity experts recommend that users consider unexpected blockchain RPC calls from browsers as red flags. That’s doubly true for products that profess to be interoperable but only work on one chain.