Cybersecurity Threats: Malicious Chrome Extensions Target Ethereum Users

Cybersecurity researchers have uncovered a malicious Chrome extension named 'Safery: Ethereum Wallet' that poses as a legitimate Ethereum wallet. According to The Hacker News, this extension, which was uploaded to the Chrome Web Store on September 29, 2025, contains a backdoor designed to exfiltrate users' seed phrases. It markets itself as a secure wallet for managing Ethereum cryptocurrency but is actually a sophisticated phishing tool. The malware encodes wallet mnemonic phrases into fake Sui addresses and sends microtransactions to those addresses from a wallet controlled by the threat actor. Koi Security highlighted that once these transactions are complete, the attacker can decode the addresses to reconstruct the original seed phrases and drain the assets from the wallets. This malicious extension remains available for download as of the report date, raising concerns about user safety.

Cointelegraph reports that this extension is particularly dangerous because it appears as the fourth search result for Ethereum wallets on the Chrome Web Store, just behind well-known wallets like MetaMask. Users can either create new wallets or import existing ones, both of which pose significant security risks. If a user creates a wallet using this extension, their seed phrase is immediately sent to the attacker. Similarly, if they import an existing wallet, they inadvertently hand over their seed phrase. The extension encodes the BIP-39 mnemonic into synthetic Sui addresses, sending a tiny SUI transaction that conceals the theft within normal blockchain activity.

The report from Socket emphasizes the importance of practicing good cybersecurity habits, including thorough research before downloading any extensions. Users are advised to be wary of extensions lacking reviews or branding, and to ensure they are using well-established alternatives with verified legitimacy. The malicious extension's absence of reviews, limited branding, and grammatical errors in its promotional material serve as red flags for users. Cybersecurity experts recommend scanning extensions for mnemonic encoders and being vigilant for unexpected blockchain RPC calls. This incident underscores the critical need for enhanced cybersecurity measures in the cryptocurrency sector, given the increasing sophistication of threats targeting Ethereum users.