A dangerous new Ethereum wallet threat has surfaced in the form of a malicious Chrome extension, “Safery: Ethereum Wallet.” Disguised as a legitimate cryptocurrency management tool, this extension, published on November 12, 2024, secretly harvests user seed phrases, granting attackers complete control over their digital assets.
Security analysts from Socket.dev identified the sophisticated malware and its novel stealth techniques. The extension’s primary goal is to steal the crucial seed phrase, the master key to any cryptocurrency wallet, enabling assailants to drain victims’ funds entirely. This discovery highlights the persistent risks within the decentralized finance ecosystem.
Technical Mechanism of the Safery Ethereum Wallet Exploit
The Safery extension employs a cunning strategy to exfiltrate sensitive user data. When a user creates or imports an Ethereum wallet, the extension intercepts and encodes the seed phrase into seemingly innocuous synthetic Sui blockchain addresses. It then broadcasts microtransactions of a minuscule amount of SUI (0.000001 SUI) to these encoded addresses from a wallet controlled by the threat actor.
These transactions, appearing as normal blockchain activity to casual observers, contain hidden user data. The technical mechanism involves using BIP-39 mnemonic encoding. As detailed by Socket.dev researchers, each word from the seed phrase is transformed into a numeric index and then packed into hexadecimal strings that mimic legitimate Sui wallet addresses. This clever obfuscation avoids the need for traditional command-and-control servers, making the malware harder to detect.
Upon closer examination of the extension’s code, analysts discovered that it loads a standard wordlist, maps each word to its corresponding index, and constructs these synthetic addresses, all prefixed with “0x”. Crucially, a paired decoder embedded within the malware allows the threat actor to reverse this process, reconstructing the original seed phrase word by word. These operations execute silently after a user enters their seed phrase, exfiltrating the data across the blockchain before the wallet login process is even completed.
The Deceptive Nature of the Ethereum Wallet Extension
The effectiveness of this exploit is amplified by the extension’s placement within the official Chrome Web Store. Users searching for Ethereum wallet solutions encounter Safery prominently listed, often appearing as the fourth search result alongside well-established and trusted alternatives like MetaMask and Enkrypt. This prime positioning lends the malicious extension a false sense of credibility, making it a tempting choice for unsuspecting users.
Once a victim installs the extension and proceeds to import or create their wallet, the attacker gains access to all derived Ethereum private keys. This compromise allows the threat actor to transfer all the victim’s digital assets to their own addresses, leading to a complete financial loss. The deceptive marketing and sophisticated technical execution make this a particularly dangerous threat to the cryptocurrency community.
Implications and Future Security Measures
The incident underscores the critical importance of rigorous vetting processes for browser extensions, especially those handling sensitive financial information like cryptocurrency wallets. While the Safery extension has reportedly been removed from the Chrome Web Store following the discovery, similar threats may continue to emerge.
Users are strongly advised to exercise extreme caution when installing any browser extension, particularly those that manage financial assets. It is recommended to only download extensions from developers with a proven track record, to always check reviews, and to carefully review the permissions requested by any extension before granting access. Ongoing vigilance and a proactive approach to cybersecurity are essential for safeguarding digital assets in the evolving threat landscape.