Warning: Malicious Ethereum Wallet Extension on Chrome Store Steals Seed Phrases

Malicious Ethereum Wallet Extension Detected on Chrome Store

Blockchain security firm Socket has issued an alert regarding a newly discovered malicious cryptocurrency wallet extension lurking on Google's Chrome Web Store. This extension employs a sophisticated tactic to pilfer seed phrases, ultimately leading to the draining of users' digital assets.

Dubbed "Safery: Ethereum Wallet," the extension deceptively presents itself as a "reliable and secure browser extension designed for easy and efficient management" of Ethereum-based assets. However, a report published by Socket reveals that the extension is specifically engineered to steal seed phrases through a cleverly concealed backdoor.

According to the report, "Marketed as a simple, secure Ethereum (ETH) wallet, it contains a backdoor that exfiltrates seed phrases by encoding them into Sui addresses and broadcasting microtransactions from a threat actor-controlled Sui wallet."

Notably, the fraudulent extension currently occupies the fourth position in search results for "Ethereum Wallet" on the Google Chrome Store, appearing just below legitimate alternatives such as MetaMask, Wombat, and Enkrypt.

How the Malicious Extension Operates

The extension offers users the ability to create new wallets or import existing ones, thereby introducing two potential avenues for security breaches.

In the first scenario, a user creates a new wallet within the extension, unknowingly transmitting their seed phrase to the malicious actor via a tiny transaction on the Sui network. Since the wallet is compromised from its inception, funds can be siphoned off at any time.

In the second scenario, a user imports an existing wallet and enters their seed phrase, effectively handing it over to the scammers behind the extension. They can then access this information through the same small transaction mechanism.

Socket explained, "When a user creates or imports a wallet, Safery: Ethereum Wallet encodes the BIP-39 mnemonic into synthetic Sui-style addresses, then sends 0.000001 SUI to those recipients using a hardcoded threat actor's mnemonic."

The firm further elaborated, "By decoding the recipients, the threat actor reconstructs the original seed phrase and can drain affected assets. The mnemonic leaves the browser concealed inside normal-looking blockchain transactions."

Protecting Yourself from Scam Extensions

While this malicious extension ranks high in search results, several telltale signs point to its illegitimacy.

The extension boasts zero user reviews, exhibits minimal branding efforts, contains grammatical errors within its branding materials, lacks an official website, and links to a developer utilizing a Gmail account.

Users must conduct thorough research before engaging with any blockchain platform or tool. Exercise extreme caution with seed phrases, maintain robust cybersecurity practices, and prioritize well-established alternatives with verified legitimacy.

Given that this extension also initiates microtransactions, it is crucial to consistently monitor and scrutinize wallet transactions, as even seemingly insignificant transactions can pose a threat.