For a few days in November, a malicious Chrome extension ranked as the fourth result for “Ethereum wallet” on the Chrome Web Store.
The extension, called “Safery: Ethereum Wallet,” looked polished enough to pass as legitimate. It had a clean icon, a generic name adjacent to security language, a flood of five-star reviews, and boilerplate descriptions familiar to anyone who’s downloaded a crypto wallet.
Behind that frontend was a purpose-built attack designed to steal seed phrases and empty user wallets by encoding stolen secrets into micro-transactions on the Sui blockchain.
Socket, a security tooling company focused on open-source software supply chains, installed and analyzed the extension after it was discovered.
Their aim was to understand how “Safery” avoided detection, climbed the Chrome Store rankings, and moved stolen seed phrases without raising alarms, as well as what users could do to spot similar threats. The report walks through the attacker’s approach and serves as both a postmortem and a warning that browser extensions remain a dangerous blind spot in crypto.
This case is noteworthy because the hackers didn’t just steal seed phrases. That part is, unfortunately, well-trodden territory in crypto.
What makes it notable is that Safery didn’t spoof an existing wallet brand. It wasn’t a MetaMask lookalike or a recycled phishing domain. It invented an identity, bought or botted fake reviews to climb search rankings, and launched as a “new” wallet option.
This approach meant the listing showed no immediate red flags: no broken grammar, no odd permissions, and no redirection to shady domains.
The Chrome Web Store publisher page had no prior complaints, and its support URL led to an off-platform site that hadn’t been flagged by security trackers at the time of Socket’s analysis.
Given its polished appearance, most users wouldn’t have hesitated before clicking “Add to Chrome.” The extension asked to run on “all websites,” a common request for crypto wallets that need access to decentralized apps.
Notably, it didn’t prompt for extra permissions or try to inject content scripts that would trigger Chrome’s more aggressive warnings. The branding was minimalist, the website matched the extension’s name, and the setup screen prompted users to create or import a wallet, again, standard behavior.
The seed heist, broadcast over Sui
The real damage began once a seed phrase was entered. Instead of storing the phrase locally or encrypting it for user access, the extension silently split it into fragments and encoded them as what appeared to be random wallet addresses.
Socket’s research shows these fragments were inserted into Sui blockchain transactions. Specifically, the extension issued tiny SUI token transfers, minuscule amounts that would draw no attention, to addresses controlled by the attacker.
Hidden inside those transactions, either in memo fields or obfuscated addresses, were pieces of the user’s seed phrase.
This approach had tactical advantages. It didn’t require the extension to send outbound requests to malicious servers. There was no command-and-control beacon or exfiltration over HTTP or WebSockets that a browser or antivirus might flag.
The payload left the user’s device as a normal-looking blockchain transaction, routed through a widely used, low-fee chain. Once on-chain, the data was publicly accessible, allowing the attacker to retrieve it later, reconstruct the seed phrase, and sweep wallets without touching the user’s device again.
In effect, the scam used the Sui blockchain itself as a communications channel. And because Sui has fast confirmation times and negligible transaction costs, it functioned like a low-latency message bus.
Socket traced multiple examples of these seed-fragment transactions and confirmed the link between seed entry and eventual asset loss. While the thefts occurred off-chain, either on Ethereum or other L1s where the victims’ wallets held funds, the instructions for carrying them out were hidden in plain sight.
Before releasing the version that landed in Chrome’s top wallet results, the publisher likely tested this method in private. Evidence shows earlier builds experimented with simpler data leaks before the Sui encoding was refined.
By the time the active extension was flagged, it had enough installs to reach Chrome’s “trending” tier, further boosting its visibility. Brave New Coin reported that the “Safery” wallet sat among the top results for “Ethereum wallet” searches even as reports of suspicious behavior circulated on Reddit and Telegram.
How the Chrome algorithm let it happen
The success of “Safery” hinged on Chrome’s ranking logic. The Web Store search algorithm weighs keyword match, install count, review velocity, average rating, and update recency.
Extensions with a burst of activity, especially in niche categories, can climb rapidly if better-vetted competitors aren’t updated frequently. In this case, “Safery” had a name that scored well for common queries, a blitz of positive reviews, many templated or duplicated, and a fresh upload date.
No evidence shows that Google manually reviewed this listing before publication. Chrome Web Store policy treats most new extensions with a brief automated scan and fundamental static analysis.
Extensions undergo deeper scrutiny when they request elevated permissions, such as access to tabs, clipboard, file systems, or history. Wallet extensions often avoid these flags by operating within iframes or using approved APIs. “Safery” stayed within those bounds.
Even when users raised concerns, the time between reporting and takedown stretched long enough for damage to occur. Part of that lag is structural: Chrome doesn’t act on flagged extensions instantly unless there’s an overwhelming consensus or known malware signatures.
In this case, the payload was obfuscated JavaScript that relied on blockchain infrastructure, not external hosts. Traditional malware detection methods didn’t catch it.
This isn’t the first time Chrome extensions have been used to steal crypto. Previous scams include fake Ledger Live apps that prompted users to enter recovery phrases, or hijacked legitimate extensions that allowed attackers to access the developer’s publishing key.
What makes “Safery” different is the smoothness of the facade and the absence of backend infrastructure. There was no phishing site to take down, no server to block, just one extension moving secrets onto a public chain and walking away.
Users still had some recourse. If they acted quickly, they could limit exposure by rotating seeds and revoking transaction approvals.
Socket and others provided triage steps for anyone who installed the extension: uninstall immediately, revoke any token approvals, sweep assets to a new wallet using a clean device, and monitor associated addresses. For users who didn’t notice the exfiltration or who stored large amounts in hot wallets, recovery remained unlikely.
The real trouble begins before the wallet ever loads
Security researchers and developers are calling for stronger heuristics from Chrome itself. One proposed solution is to automatically flag any extension that includes UI elements prompting for a 12- or 24-word phrase.
Another approach is to require publisher attestation for wallet extensions, which provides verifiable proof that a given publisher controls the codebase behind a known wallet brand. There are also calls for tighter inspection of wallet-related permissions, even when those don’t include dangerous access patterns.
For end users, Socket published a practical checklist for extension management. Before installing any crypto extension, users should review the publisher’s history, verify association with a known project, inspect the review pattern, especially bursts of identical reviews, check for real website links with public GitHub repositories, and scan the permissions tab for vague or sweeping access.
A clean name and high rating aren’t enough.
This case raises broader questions about the browser’s role in crypto. Browser wallets gained popularity due to accessibility and ease of use. They enable users to interact with decentralized applications without switching platforms or downloading separate apps.
But that accessibility has come at the cost of exposure. The browser is a high-risk environment subject to extension manipulation, session hijacking, clipboard scrapers, and now covert blockchain exfiltration.
Wallet developers are likely to rethink distribution models. Some teams already discourage Chrome Web Store installs, preferring mobile apps or desktop binaries. Others may build warnings for users attempting to install from unverified sources.
The core problem remains: distribution is fragmented, and most users don’t know how to distinguish a legitimate wallet from a polished clone.
The “Safery” extension didn’t need to look like MetaMask or masquerade as Phantom. It created its own brand, seeded fake trust signals, and built an invisible backdoor that used the Sui blockchain as a courier.
That should force a rethink of how trust is established in crypto UX, and how close to the metal even casual tools like browser extensions really are.
Crypto users assume Web3 means sovereignty and self-custody. But in the wrong hands, a browser wallet isn’t a vault, it’s an open port. And Chrome won’t always warn you before something slips through.
