Blockchain security platform Socket has warned of a new malicious cryptocurrency wallet extension in Google’s Chrome Web Store. This extension has a unique method of stealing seed phrases and exfiltrating user assets.
The extension is called “Safery: Ethereum Wallet” and claims to be a “reliable and secure browser extension designed to help you easily and efficiently manage your Ethereum-based assets.”
However, as highlighted in Socket’s Tuesday report, the extension is actually designed to steal seed phrases through a sophisticated backdoor.
“This wallet, marketed as a simple and secure Ethereum (ETH) wallet, contains a backdoor that steals the seed phrase by encoding it into a Sui address and broadcasting microtransactions from the threat actor-controlled Sui wallet,” the report said.
Promotional image for Safety Wallet. sauce: Chrome store
Notably, it currently sits in the fourth search result for “Ethereum wallet” in the Google Chrome Store, just behind legitimate wallets such as MetaMask, Wombat, and Enkrypt.
Chrome Store search results. sauce: Chrome store
This extension allows users to create new wallets or import existing wallets from elsewhere, creating two potential security risks for users.
In the first scenario, a user creates a new wallet with an extension and immediately sends a seed phrase to a fraudulent attacker via a small Sui-based transaction. Wallets are compromised from day one, so your funds can be stolen at any time.
In the second scenario, a user imports an existing wallet, enters a seed phrase, and passes it to the scammer behind the extension, who can then view the information again through a small transaction.
“When a user creates or imports a wallet, Safery: Ethereum Wallet encodes the BIP-39 mnemonic into a synthetic Sui-style address and sends 0.000001 SUI to those recipients using the hardcoded threat actor mnemonic,” Socket explained, adding:
“By decoding the recipient, an attacker can reconstruct the original seed phrase and exfiltrate the affected assets. The mnemonic leaves the browser hidden within a normal-looking blockchain transaction.”
How Cryptocurrency Users Avoid Scam Extensions
Although this malicious extension appears at the top of search results, there are some obvious signs that it lacks legitimacy.
Related: Scammers pose as Australian police to steal cryptocurrencies, authorities warn
The extension has no reviews, very limited branding, some of the branding has grammatical errors, no official website, and links to developers using Gmail accounts.
It’s important to do significant research before engaging with blockchain platforms and tools, pay close attention to seed phrases, practice solid cybersecurity, and research well-established, validated alternatives.
Given that this extension also sends microtransactions, it is essential to continuously monitor and identify wallet transactions, as even small transactions can be harmful.
magazine: ‘Help! My robot vacuum is stealing my Bitcoin: when a smart device attacks
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
