Socket’s Threat Research Team discovered a malicious Chrome extension named Safery: Ethereum Wallet that steals users’ BIP-39 seed phrases by encoding them into synthetic Sui-style addresses and broadcasting microtransactions from a threat actor-controlled Sui wallet. The extension uses a hardcoded Base64 threat actor mnemonic to send tiny SUI payments to those derived addresses, enabling the actor to decode recipients and reconstruct victims’ full seed phrases. #Safery #Sui
Keypoints
- The Chrome extension Safery: Ethereum Wallet (ID fibemlnkopkeenmmgcfohhcdbkhgbolo) was published on the Chrome Web Store and marketed as a simple, secure ETH wallet while containing a covert backdoor.
- When a user creates or imports a wallet, the extension encodes the BIP-39 mnemonic into one or two synthetic Sui-style addresses and sends 0.000001 SUI microtransactions to them from a hardcoded threat actor mnemonic.
- The threat actor’s Base64-encoded mnemonic (decodes to “sense collect pulp float neutral brush hospital pyramid coin shield use atom”) is used to sign the Sui transactions, allowing reconstruction of the victim seed from the recipient addresses.
- Exfiltration occurs on-chain via normal-looking microtransactions to arbitrary recipients, avoiding plaintext HTTP exfiltration or a central C2 server and reducing detection by typical network-based controls.
- The extension exposes window.logInWallet({ address, privateKeyHex, mnemonic }) globally and performs hidden Sui RPC calls to https://sui-rpc.publicnode.com, enabling silent seed theft while still functioning as a usable ETH wallet in the UI.
<li(Socket submitted a takedown request to Google and identified the publisher email kifagusertyna@gmail[.]com; defenders should treat unexpected blockchain RPC calls as high signal and enforce extension allowlists and RPC baselines.)
MITRE Techniques
- [T1195.002 ] Supply Chain Compromise – Malicious browser extension published in the Chrome Web Store as a seemingly legitimate wallet to reach users: “The Chrome Web Store listing markets Safery: Ethereum Wallet as a standard, user-friendly wallet.”
- [T1176.001 ] Software Extensions: Browser Extensions – Use of a Chrome extension to perform malicious actions in-browser: “Safery: Ethereum Wallet encodes the BIP-39 mnemonic… then sends 0.000001 SUI to those recipients.”
- [T1204 ] User Execution – The extension relies on users entering or importing their wallet mnemonic into the extension UI triggering the exfiltration logic: “After the user enters a valid seed phrase in the login form…”
- [T1059.007 ] Command and Scripting Interpreter: JavaScript – Malicious logic implemented in JavaScript within the extension to encode mnemonics, call RPCs, and send transactions: code snippets show JavaScript functions performing encoding and sendSui calls.
- [T1552.004 ] Unsecured Credentials: Private Keys – Hardcoded threat actor mnemonic stored in Base64 inside the extension enabling signing of Sui transactions: “fromBase64(‘c2Vuc2Ug…’) decodes to… threat actor-controlled Sui wallet.”
- [T1567 ] Exfiltration Over Web Service – Exfiltration performed via blockchain transactions over a public RPC endpoint (https://sui-rpc.publicnode.com) rather than traditional network C2: “silently sending 0.000001 SUI via https://sui-rpc.publicnode.com to addresses derived from the victim mnemonic.”
- [T1657 ] Financial Theft – Theft of on-chain assets by reconstructing victim seed phrases and draining derived wallets: “With a recovered mnemonic, the threat actor gains full control of derived wallets… and transfer assets to their own addresses.”
Indicators of Compromise
- [Chrome Extension ID ] Malicious extension identifier – fibemlnkopkeenmmgcfohhcdbkhgbolo
- [Email Address ] Publisher account used for the extension – kifagusertyna@gmail[.]com
- [Hardcoded Mnemonic (Base64) ] Encoded threat actor seed stored in extension – c2Vuc2UgY29sbGVjdCBwdWxwIGZsb2F0IG5ldXRyYWwgYnJ1c2ggaG9zcGl0YWwgcHlyYW1pZCBjb2luIHNoaWVsZCB1c2UgYXRvbQ== (decodes to “sense collect pulp float neutral brush hospital pyramid coin shield use atom”)
- [RPC Endpoint ] Sui RPC used for exfiltration – https://sui-rpc.publicnode.com
Read more: https://socket.dev/blog/malicious-chrome-extension-exfiltrates-seed-phrases