Malicious Chrome Extension Grants Full Control Over Ethereum Wallet

Security researchers have uncovered a sophisticated supply chain attack disguised as a legitimate cryptocurrency wallet.

Socket’s Threat Research Team discovered a malicious Chrome extension called “Safery: Ethereum Wallet,” published on the Chrome Web Store on November 12, 2024, that employs an ingenious technique to steal user seed phrases through hidden blockchain transactions.

The extension, identified by its ID fibemlnkopkeenmmgcfohhcdbkhgbolo, markets itself as a secure and straightforward Ethereum wallet offering quick two-click transfers and easy balance management.

However, beneath this benign exterior lies a sophisticated backdoor that exfiltrates seed phrases by encoding them into Sui blockchain addresses and broadcasting microtransactions from a threat actor-controlled wallet.

When users create or import a wallet, the malicious extension encodes their BIP-39 mnemonic into one or two synthetic Sui-style addresses.

The extension then sends 0.000001 SUI to these encoded addresses using a hardcoded threat actor mnemonic. By decoding the transaction ...