A new and incredibly sneaky attack is targeting cryptocurrency users through the official Google Chrome Web Store. Security researchers have sounded the alarm on a malicious browser extension called “Safery: Ethereum Wallet” that does the exact opposite of what its name promises. It’s a trap designed to steal your secret seed phrase and drain your accounts, and it uses a clever trick that’s hard to detect.

Even worse, the extension has been available for download since September 29, 2025, and was updated as recently as November 12. As of this writing, this dangerous piece of malware is reportedly still available on the store, fooling users with its description as a “secure wallet for managing Ethereum cryptocurrency.”

How This Devious Wallet Steals Your Keys

This isn’t your average crypto-stealing virus. Most malware needs to secretly send your information to a private computer server controlled by the hackers, known as a command-and-control (C2) server. Security companies can often find and block these servers, cutting the snake’s head off.

The “Safery” wallet, however, is far more cunning. It doesn’t need a secret server because it uses the public blockchain itself as its getaway vehicle.

Here’s the step-by-step breakdown of the theft, as detailed by researchers like Kirill Boychenko from Socket and the team at Koi Security.

First, when an unsuspecting user installs the “Safery” extension and either creates a new wallet or, more devastatingly, imports their existing wallet using their 12 or 24-word seed phrase, the malware springs into action. The extension immediately captures that seed phrase—the master key to all your crypto.

Second, the malware’s hidden “backdoor” code gets to work. It takes your secret seed phrase and “encodes” it. In simple terms, it scrambles and translates your secret words into a long string of letters and numbers that look just like a brand-new, valid wallet address on the Sui blockchain—a completely different network from Ethereum.

Third, the final and most brilliant part of the scam begins. The hackers have a wallet of their own on the Sui network, which is hard-coded into the “Safery” extension. The malware uses this attacker-controlled wallet to send a microscopic, almost worthless, amount of SUI crypto (something like 0.000001 SUI) to the fake address it just created from your seed phrase.

The hackers don’t need to receive any data. They just sit back and watch the public Sui blockchain. When they see their own wallet send a tiny transaction, they simply look at the recipient’s address. They know that this address is not a real person’s wallet but is, in fact, a disguised copy of your secret seed phrase.

They then take that public “to” address, use their own secret key to decode it, and instantly reconstruct your original seed phrase. Once they have that, it’s game over. They have complete control of your real Ethereum wallet and can transfer all of your assets to their own accounts, leaving you with nothing.

A Flexible Attack That’s Hard to Block

This method is terrifyingly effective precisely because it hides in plain sight. The theft looks just like a normal, tiny blockchain transaction. Because the hackers aren’t using a central server, there’s no single domain or URL for security software to block.

As researcher Kirill Boychenko points out, this technique is also incredibly flexible. If defenders start monitoring the Sui network for this activity, the hackers can just change a few lines of code in their malware to use a different blockchain, like Solana or Polkadot. They can easily switch chains and connection points, making most detection rules useless.

The only real clue, Boychenko notes, is the suspicious behavior of the extension itself. A wallet that claims to be only for Ethereum should have no business making any kind of connection or call to the Sui blockchain. This unexpected cross-chain activity is a major red flag for security professionals.

How to Protect Your Crypto

For everyday users, the advice is simple and urgent: stick to trusted, well-known, and time-tested wallet extensions. Use wallets that have millions of users, a long public history, and have undergone multiple security audits. Be extremely suspicious of new wallets, even if they are on the official Chrome Web Store. That “Safery” extension looked legitimate, but it was a complete fraud.

For security companies and wallet developers, the researchers recommend a new line of defense. They should proactively scan new extensions for any code that looks like it could encode seed phrases or generate “synthetic” (fake) addresses. They should also look for hard-coded seed phrases inside the extension’s code, as this is likely the attacker’s “sending” wallet.

Perhaps the strongest recommendation is to block any wallet extension that tries to write or send anything to a blockchain during the initial wallet creation or import process. When you create a wallet, that action should be entirely offline and private. Any extension that tries to make a web call or a transaction at that exact moment is almost certainly trying to steal your information.