A deceptive Chrome extension named Safery: Ethereum Wallet has emerged as a serious threat to cryptocurrency users.<\/p>\n
Published on the Chrome Web Store on November 12, 2024, this extension masquerades as a secure Ethereum wallet while secretly stealing user seed phrases.<\/p>\n
The malware\u2019s sophisticated design allows attackers to gain complete control over victims\u2019 cryptocurrency wallets and drain their digital assets.<\/p>\n
The extension operates with a cunning approach to theft. When users create or import a wallet, the extension extracts their seed phrase and encodes it into synthetic Sui blockchain<\/a> addresses.<\/p>\n It then broadcasts tiny microtransactions of 0.000001 SUI to these encoded addresses from a threat actor-controlled wallet. To observers, these appear as normal blockchain activity, but they actually contain hidden user data.<\/p>\n Socket.dev security analysts identified<\/a> the malicious extension and discovered its evasive tactics.<\/p>\n The researchers noted that the backdoor uses BIP-39 mnemonic encoding, transforming each seed phrase word into numeric indices and packing them into hexadecimal strings that resemble legitimate Sui wallet addresses.<\/p>\n This clever approach hides data within blockchain transactions, eliminating the need for traditional command-and-control servers.<\/p>\n The technical mechanism reveals the extension\u2019s sophistication. When examining the extension code, analysts found it loads a standard wordlist, maps each word to its index, and constructs synthetic addresses prefixed with \u201c0x\u201d.<\/p>\n A paired decoder embedded in the malware allows the threat actor to reverse this process, reconstructing the original seed phrase word by word.<\/p>\n The code silently executes these operations after a user enters their seed phrase, sending exfiltration data<\/a> across the blockchain before completing the login process.<\/p>\n The threat proves especially dangerous because the extension appears legitimate on the Chrome Web Store. Users searching for Ethereum wallets<\/a> find it listed as the fourth result alongside trusted alternatives like MetaMask and Enkrypt, lending it false credibility.<\/p>\n Once a victim installs the extension and imports their wallet, the attacker gains access to all derived Ethereum private keys and can transfer all assets to their own addresses, resulting in complete financial compromise.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Malicious Chrome Extension as Ethereum Wallet Enables Full Wallet Takeover<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Ethereum](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh8sIszV7JpPUD1hmrSR1HFOO5m0cZc0tubLH1tU4fl-Gdn_EawBV8BoDutIPXGLKnQvlExJQcQGJQDbiuqxHGCULj9juVoEbXr3NGVi942fywGQHeyPAsu20LJjm7f-_hX9ojYqQFY6kLRy_A_N0kKKX7b2InkjDnvPjqlba8nQcHk5jso6KdsowHRzcM\/s16000\/Ethereum%2520Wallet%2520markets%2520the%2520extension%2520as%2520a%2520simple%2C%2520secure%2520ETH%2520wallet%2520%28Source%2520-%2520Socket.dev%29.webp?ssl=1\")
Technical Mechanism<\/strong><\/h2>\n