Safery, a fake Chrome wallet extension, is stealing users’ Ethereum seed phrases by encoding them into Sui blockchain addresses and broadcasting tiny on-chain payments that let attackers reconstruct mnemonics and drain affected wallets.
The technique, described by researchers and reported by The Hacker News, uses microtransactions as a covert channel: the extension converts segments of the recovery phrase into recipient addresses on the Sui chain and issues minute transfers (researchers cite amounts such as 0.000001 SUI) from an attacker-controlled account.
In practice, the malicious add-on — listed in the Chrome Web Store as “Safery: Ethereum Wallet” (extension id fibemlnkopkeenmmgcfohhcdbkhgbolo) — intercepts wallet import or creation flows and encodes mnemonic fragments into syntactically valid Sui addresses before issuing on-chain transfers. Researchers at Socket and Koi Security examined the add‑on and published technical analyses describing the encoder and the attacker-controlled Sui transactions (Socket analysis; Koi Security report). Related internal reporting covers similar Ethereum-based extension threats (Malicious VSX Extension “SleepyDuck” Leverages Ethereum for Command and Control; SleepyDuck Malware Evolves with Ethereum C2 Resilience).
Further, because the stolen data is embedded in public blockchain transactions, the attacker needs no conventional command-and-control server. By monitoring the Sui ledger and decoding recipient addresses back into mnemonic fragments, an attacker can reassemble the full recovery phrase offline and then drain the linked wallets — all without generating suspicious outbound HTTP traffic.
Besides the technique’s stealth, the practical risk is immediate: the extension was uploaded on September 29, 2025 and updated as recently as November 12, 2025; the live store listing remained reachable when researchers published their findings. Any user who imported a wallet while the extension performed on‑chain writes may have exposed their recovery phrase.
So defenders should assume this pattern can be reused across chains and product names. “Treat unexpected blockchain RPC calls from the browser as high signal, especially when the product claims to be single chain,” Socket researcher Kirill Boychenko advised, underscoring that monitoring browser-originated RPCs and flagging on-chain writes during wallet import are practical detection points (Socket).