Full Report
Cybersecurity researchers have uncovered a malicious Chrome extension that poses as a legitimate Ethereum wallet but harbors functionality to exfiltrate users' seed phrases. The name of the extension is "Safery: Ethereum Wallet," with the threat actor describing it as a "secure wallet for managing Ethereum cryptocurrency with flexible settings." It was uploaded to the Chrome Web Store on
Analysis Summary
# Tool/Technique: Safery: Ethereum Wallet (Malicious Chrome Extension)
## Overview
"Safery: Ethereum Wallet" is a malicious Google Chrome browser extension disguised as a legitimate cryptocurrency wallet designed for managing Ethereum (ETH). Its primary purpose is to steal users' wallet seed phrases (mnemonic phrases) and exfiltrate them without relying on traditional Command and Control (C2) servers.
## Technical Details
- Type: Malware (Malicious Browser Extension/Backdoor)
- Platform: Google Chrome Browser (via Chrome Web Store)
- Capabilities: Seed phrase extraction, encoding/obfuscation of stolen data into blockchain transactions, exfiltration via micro-transactions on the Sui blockchain.
- First Seen: Uploaded to Chrome Web Store on September 29, 2025.
## MITRE ATT&CK Mapping
The techniques primarily revolve around credential access and exfiltration via unconventional means:
- **TA0009 - Collection**
- **T1555 - Credentials from Password Stores** (Applicable, as wallet seeds are master credentials)
- **T1552.003 - Credentials from Local System: Web Session Cookie** (Browser extensions often interact with stored session data or input fields)
- **TA0010 - Exfiltration**
- **T1048 - Exfiltration Over Alternative Protocol** (Using blockchain transactions as an alternative channel)
- **T1041 - Exfiltration Over C2 Channel** (Though it avoids a direct C2, the blockchain acts as the transport medium)
## Functionality
### Core Capabilities
- **Masquerading:** Poses as a secure Ethereum wallet extension ("Safery: Ethereum Wallet").
- **Seed Phrase Theft:** Targets and captures users' wallet mnemonic phrases, typically during import or creation processes.
- **Data Encoding:** Encodes the stolen seed phrases into the format of fake Sui blockchain addresses, sometimes using a process to generate synthetic addresses.
- **Exfiltration via Blockchain Microtransactions:** Sends minuscule transactions (0.000001 SUI) to a hard-coded, threat actor-controlled Sui wallet address. The encoded seed phrase is embedded within the destination address.
### Advanced Features
- **C2 Avoidance:** The embedding of data within public blockchain transactions eliminates the need for the extension to communicate with a typical external C2 server, making detection based on blocked domains or URLs more difficult.
- **Cross-Chain Ambiguity:** The technique involves using the Sui blockchain for exfiltration, which could surprise security tools monitoring only Ethereum traffic or standard web traffic endpoints.
- **Evasion:** The resulting network activity appears as legitimate (albeit small) blockchain transactions.
## Indicators of Compromise
*Note: Specific hashes or concrete network indicators (C2 domains) were not fully identified in the general description, only the *methodology*.*
- File Hashes: [Not provided in the summary]
- File Names: "Safery: Ethereum Wallet" (Extension Name)
- Registry Keys: [Not applicable for a typical Chrome Extension]
- Network Indicators: Sending 0.000001 SUI microtransactions to an attacker-controlled Sui wallet address (Specific address not provided). RPC calls involving unexpected blockchain endpoints when the extension claims to be single-chain.
- Behavioral Indicators: Detecting code within extensions designed to encode mnemonic phrases into addresses, generating synthetic addresses, or performing write operations (transactions) on the blockchain immediately after wallet import/creation.
## Associated Threat Actors
- [Unknown/Not specified in the provided text, only referred to as a "threat actor."]
## Detection Methods
- **Signature-based detection:** Looking for specific extension IDs (`fibemlnkopkeenmmgcfohhcdbkhgbolo` noted in the analysis link).
- **Behavioral detection:** Monitoring browser extensions for performing blockchain RPC calls, particularly unusual calls or calls to chains not advertised (e.g., an Ethereum wallet extension making Sui transactions).
- **Code Analysis:** Scanning extension manifests and scripts for mnemonic phrase encoders or synthetic address generators.
## Mitigation Strategies
- **Verification:** Users should only install wallet extensions from highly trusted sources and cross-reference developer details rigorously before installation.
- **Principle of Least Privilege (Behavioral):** Defenders should monitor and potentially block unexpected blockchain RPC calls originating from browser processes, especially when the claimed function of the extension is narrow (e.g., single-chain).
- **Scanning:** Regularly audit installed extensions for suspicious functionality related to cryptographic key handling or blockchain interaction beyond core wallet functions.
## Related Tools/Techniques
- Other malicious crypto wallet extensions found on official app stores (e.g., fake MetaMask, Trust Wallet clones).
- Data exfiltration techniques utilizing legitimate communication methods like DNS tunneling or covert channels (though this uses transactional data).