Crypto Security Alert: The "Safery" Chrome Wallet Scam That Stole Seed Phrases via Sui Blockchain

In a stark reminder of the persistent threats lurking within the digital asset ecosystem, a cleverly designed malicious Chrome extension, dubbed "Safery: Ethereum Wallet," managed to infiltrate the Chrome Web Store and rank alarmingly high for "Ethereum wallet" searches in November. This sophisticated scam, which appeared legitimate and highly polished, was engineered not just to steal seed phrases, but to do so in an unprecedented and stealthy manner, leveraging the Sui blockchain as its covert communication channel.

The Deceptive Facade of "Safery"

What made "Safery" particularly insidious was its sophisticated frontend. It boasted a clean, professional-looking icon, a name that subtly hinted at security, and a deluge of five-star reviews that propelled it up the search rankings. Its descriptions were boilerplate, mirroring the language commonly found in legitimate crypto wallet listings. To the unsuspecting user, there were virtually no immediate red flags.

Unlike many phishing attempts that spoof existing, well-known brands like MetaMask, "Safery" forged its own identity. It wasn't a clumsy lookalike or a recycled malicious domain. Instead, it presented itself as a brand new, trustworthy wallet option. This meant:

• No Broken Grammar: The text was impeccably written, avoiding common tell-tale signs of scams.
• No Odd Permissions: The extension requested permissions typical for crypto wallets, such as access to "all websites," which is necessary for interacting with decentralized applications (dApps). It carefully avoided triggering Chrome's more aggressive warnings by staying within expected bounds.
• Unflagged Support URLs: At the time of analysis by Socket, a security tooling company that investigated the extension, its off-platform support site had not been flagged by security trackers.

This meticulous attention to detail meant that most users, seeing its high rating and polished appearance, would have clicked "Add to Chrome" without a second thought, completely unaware of the threat brewing beneath the surface. The setup screen, prompting users to create or import a wallet, followed standard, reassuring procedures.

The Covert Seed Heist: Broadcasting Secrets via Sui

The true danger unfurled the moment a user entered their precious seed phrase. Instead of securing it locally, the "Safery" extension quietly fractured the seed phrase into smaller components. These fragments were then ingeniously encoded as seemingly random wallet addresses, or hidden within memo fields of transactions, and inserted into minuscule SUI token transfers on the Sui blockchain.

"The scam used the Sui blockchain itself as a communications channel. And because Sui has fast confirmation times and negligible transaction costs, it functioned like a low-latency message bus."

This method offered several critical advantages to the attackers:

• Evasion of Detection: The extension avoided sending outbound requests to malicious command-and-control servers, a common activity that traditional browser security or antivirus software might flag.
• Stealthy Exfiltration: The payload left the user's device masquerading as a normal, low-value blockchain transaction, routed through a widely used and inexpensive network.
• Public Accessibility, Private Retrieval: Once on-chain, these seed fragments were publicly accessible. The attackers could then retrieve them, reconstruct the full seed phrase, and empty the victim's wallets without needing further access to their device.

Socket's investigation confirmed this sophisticated link between a user entering their seed phrase and the subsequent loss of assets. While the actual thefts often occurred on other L1s like Ethereum where victims held funds, the instructions for these thefts were discreetly broadcast over Sui. This innovative use of a public blockchain as an exfiltration channel highlighted a significant blind spot in current security models.

How Chrome's Ranking Algorithm Facilitated the Scam

The success of "Safery" was inextricably linked to the Chrome Web Store's ranking algorithms. These algorithms weigh factors such as keyword match, install count, review velocity, average rating, and recency of updates. An extension with a sudden surge in positive activity, particularly in a less frequently updated category, can rapidly ascend the ranks.

"Safery" expertly exploited this by having a relevant name for common searches, coupled with a blitz of positive (often templated or duplicated) reviews, and a fresh upload date. Crucially, there was no evidence of manual review by Google prior to publication. The Chrome Web Store typically relies on automated scans and basic static analysis for new extensions, reserving deeper scrutiny for those requesting elevated permissions. "Safery" cleverly stayed within the boundaries of what appeared to be normal wallet permissions, thus avoiding immediate red flags for deeper inspection.

Even once user concerns began to circulate on platforms like Reddit and Telegram, the time lag between reporting and takedown was significant enough for considerable damage to occur. This delay is structural; Chrome does not instantly remove flagged extensions unless there's an overwhelming consensus or known malware signatures. Given that "Safery's" malicious payload was obfuscated JavaScript relying on blockchain infrastructure rather than external hosts, it bypassed traditional malware detection methods.

Beyond "Safery": Broader Implications and User Recourse

While the crypto space has seen its share of malicious Chrome extensions, from fake Ledger Live apps to hijacked legitimate extensions, "Safery" stands apart. Its lack of any backend infrastructure eliminated common points of attack for security teams; there was no phishing site to dismantle or server to block. It was a self-contained operation, using a public blockchain as its silent accomplice.

For those who unfortunately fell victim, immediate action was paramount:

• Uninstall Immediately: Remove the malicious extension without delay.
• Revoke Token Approvals: Crucially, revoke any token approvals given to potentially compromised smart contracts.
• Sweep Assets: Transfer all assets to a brand new, secure wallet, ideally using a clean, uncompromised device.
• Monitor Addresses: Keep a close eye on associated wallet addresses for any suspicious activity.

However, for victims who didn't quickly notice the exfiltration or who held significant funds in affected hot wallets, recovery remained highly unlikely.

Rethinking Browser Wallet Security: A Call for Vigilance

This incident has spurred security researchers and developers to advocate for stronger preventative measures from Chrome itself. Proposed solutions include:

• Automated Flagging: Implementing systems to automatically flag any extension that includes UI elements prompting for a 12 or 24-word seed phrase.
• Publisher Attestation: Requiring verifiable proof that a publisher controls the codebase behind a known wallet brand.
• Tighter Permission Inspection: Enhanced scrutiny of wallet-related permissions, even those that don't appear overtly dangerous.

For end-users, Socket published a vital checklist for managing extensions safely:

• Review Publisher History: Investigate the developer's past extensions and reputation.
• Verify Association: Ensure the extension is officially associated with a known, reputable project.
• Inspect Review Patterns: Be wary of sudden bursts of identical or templated positive reviews.
• Check for Real Links: Look for legitimate website links, public GitHub repositories, and active communities.
• Scan Permissions Tab: Always review the requested permissions; avoid extensions asking for overly broad or vague access.

The "Safery" case underscores a critical vulnerability: the browser, while convenient, is a high-risk environment. It's susceptible to extension manipulation, session hijacking, and now, covert blockchain exfiltration. Wallet developers are increasingly reconsidering distribution models, with some teams already discouraging Chrome Web Store installs in favor of more secure mobile apps or desktop binaries.

The core issue remains that distribution channels are fragmented, and it's challenging for many users to differentiate between a legitimate wallet and a sophisticated clone. The "Safery" extension didn't need to impersonate MetaMask; it built its own brand, generated fake trust signals, and created an invisible backdoor using the Sui blockchain as its courier. This incident demands a profound rethinking of how trust is established in the crypto user experience, and a renewed awareness of just how critical the security of seemingly simple tools like browser extensions truly is.

While Web3 promises sovereignty and self-custody, a browser wallet in the wrong hands is not a vault; it's an open port. And as the "Safery" saga demonstrates, Chrome won't always sound the alarm before your assets slip away.