For a few days in November, a malicious Chrome extension ranked fourth for “Ethereum wallet” in the Chrome Web Store.
The extension, called ‘Safery: Ethereum Wallet’, looked polished enough to pass as legitimate. It had a clean icon, a generic name bordering on security-speak, a flood of five-star reviews, and boilerplate descriptions familiar to anyone who has downloaded a crypto wallet.
Behind that frontend was a purpose-built attack designed to steal seed phrases and empty user wallets by encoding stolen secrets into microtransactions on the Sui blockchain.
Socket, a security tools company focused on open source software supply chains, installed and analyzed the extension after it was discovered.
Their goal was to understand how ‘Safery’ avoided detection, climbed the Chrome Store rankings, and moved stolen seed phrases without raising alarms, and what users could do to track down similar threats. The report details the attacker’s approach and serves as both a postmortem and a warning that browser extensions remain a dangerous blindspot in crypto.
This case is notable because the hackers didn’t just steal seed sentences. That part is unfortunately well-trodden territory in crypto.
What makes it remarkable is that Safery has not spoofed an existing wallet brand. It wasn’t a MetaMask lookalike or a recycled phishing domain. It created an identity, bought or blunted fake reviews to rank higher in search results, and launched as a ‘new’ wallet option.
This approach meant that the entry showed no immediate red flags: no broken grammar, no strange permissions, and no redirects to shady domains.
The Chrome Web Store publisher page had no previous complaints, and the support URL led to an off-platform site that was not flagged by security trackers at the time of Socket’s analysis.
Given its polished appearance, most users wouldn’t have hesitated before clicking ‘Add to Chrome’. The extension asked to run on “all websites,” a common request for crypto wallets that need access to decentralized apps.
Surprisingly, it didn’t ask for additional permissions or attempt to inject content scripts that would trigger Chrome’s more aggressive warnings. The branding was minimalist, the website matched the extension’s name, and the installation screen asked users to create or import a wallet, again standard behavior.
The Seed Heist, broadcast via Sui
The real damage started as soon as a seed phrase was introduced. Instead of storing the phrase locally or encrypting it for user access, the extension silently split it into fragments and encoded them as what appeared to be random wallet addresses.
Socket’s research shows that these fragments were inserted into Sui blockchain transactions. Specifically, the extension issued small SUI token transfers, minuscule amounts that would not attract attention, to addresses controlled by the attacker.
Hidden within these transactions, either in memo fields or in obfuscated addresses, were bits of the user’s basic sentence.
This approach had tactical advantages. The extension was not necessary to send outgoing requests to malicious servers. There was no command-and-control beacon or exfiltration via HTTP or WebSockets that could be flagged by a browser or antivirus.
The payload left the user’s device as a normal-looking blockchain transaction, routed through a widely used, low-cost chain. Once in the chain, the data was publicly accessible, allowing the attacker to later retrieve it, reconstruct the initial sentence, and search wallets without touching the user’s device again.
In fact, the scam used the Sui blockchain itself as a communication channel. And because Sui has fast confirmation times and negligible transaction fees, it functioned as a low-latency messaging bus.
Socket traced multiple examples of these seed fragment transactions and confirmed the link between seed entry and eventual asset loss. Although the thefts occurred off-chain, either on Ethereum or other L1s where the victims’ wallets contained funds, the instructions for executing them were hidden in plain sight.
Before releasing the version that made it into Chrome’s top wallet results, the publisher likely tested this method privately. There is evidence that previous builds experimented with simpler data leaks before refining the Sui coding.
By the time the active extension was flagged, it had enough installs to reach Chrome’s “trending” level, further increasing its visibility. Brave New Coin reported that the “Safery” wallet was among the top results for searches for “Ethereum wallet,” even as reports of suspicious behavior circulated on Reddit and Telegram.
How the Chrome algorithm made this happen
The success of ‘Safery’ depended on Chrome’s ranking logic. The Web Store’s search algorithm weighs keyword match, number of installs, rating speed, average rating, and freshness of updates.
Extensions with a burst of activity, especially in niche categories, can rise quickly if better-vetted competitors aren’t updated regularly. In this case, “Safery” had a name that scored well for FAQs, a blitz of positive reviews, lots of templates or duplicates, and a new upload date.
There is no indication that Google manually reviewed this listing before publishing. The Chrome Web Store Policy covers most new extensions with a quick automated scan and basic static analysis.
Extensions undergo more thorough investigation when they request elevated permissions, such as access to tabs, clipboard, file systems, or history. Wallet extensions often avoid these flags by working within iframes or using approved APIs. “Safety” remained within those limits.
Even when users raised concerns, the time between notification and removal was long enough to cause damage. Some of that delay is structural: Chrome doesn’t immediately respond to flagged extensions unless there’s overwhelming consensus or known malware signatures.
In this case, the payload was obfuscated JavaScript that relied on the blockchain infrastructure and not on external hosts. Traditional malware detection methods could not detect this.
This isn’t the first time Chrome extensions have been used to steal crypto. Previous scams included fake Ledger Live apps that tricked users into entering recovery phrases, or hijacked legitimate extensions that allowed attackers to gain access to the developer’s publish key.
What makes “Safery” different is the smoothness of the facade and the absence of backend infrastructure. There was no phishing site to delete, no server to block, just one extension that moved secrets to a public chain and walked away.
Users still had some recourse. If they acted quickly, they could limit exposure by rotating seeds and withdrawing transaction approvals.
Socket and others provided triage steps for anyone who installed the extension: immediately remove it, revoke any token approvals, move assets to a new wallet with a clean device, and monitor associated addresses. For users who did not notice the exfiltration or who stored large amounts in hot wallets, recovery remained unlikely.
The real trouble starts before the wallet is ever loaded
Security researchers and developers are calling for stronger heuristics from Chrome itself. One proposed solution is to automatically flag any extension that contains UI elements and ask for a 12- or 24-word sentence.
Another approach is to require publisher attestations for wallet extensions, which provides verifiable evidence that a given publisher controls the codebase behind a well-known wallet brand. It also calls for stricter inspection of wallet-related permissions, even if they do not contain dangerous access patterns.
For end users, Socket has published a practical extension management checklist. Before installing a crypto extension, users should review the publisher’s history, verify association with a known project, inspect the review pattern, especially bursts of identical reviews, check for genuine website links to public GitHub repositories, and scan the permissions tab for vague or expanded access.
A nice name and a high rating are not enough.
This case raises broader questions about the role of the browser in crypto. Browser wallets have become popular because of their accessibility and ease of use. They allow users to interact with decentralized applications without switching platforms or downloading separate apps.
But that accessibility comes at the expense of visibility. The browser is a high-risk environment subject to extension manipulation, session hijacking, clipboard scraping, and now secret blockchain exfiltration.
Wallet developers will likely rethink distribution models. Some teams already discourage installations from the Chrome Web Store, preferring mobile apps or desktop binaries. Others may set up warnings for users who attempt to install from unverified sources.
The core problem remains: the distribution is fragmented and most users don’t know how to distinguish a legitimate wallet from a polished clone.
The “Safery” extension didn’t have to look like MetaMask or pretend to be Phantom. It created its own brand, spread false trust signals and built an invisible backdoor that used the Sui blockchain as a courier.
That should force a rethink of how trust is established in crypto UX, and how close to the metal even informal tools like browser extensions really are.
Crypto users assume that Web3 means sovereignty and self-control. But in the wrong hands, a browser wallet isn’t a safe, it’s an open gate. And Chrome doesn’t always warn you before something slips through.