The threat involves a malicious Chrome extension called "Safery: Ethereum Wallet," which impersonates a legitimate Ethereum wallet application. Its primary malicious function is to steal users' wallet seed phrases—mnemonic phrases critical for accessing and controlling Ethereum cryptocurrency wallets. Instead of using conventional command-and-control (C2) servers to exfiltrate stolen data, the malware encodes the seed phrases into synthetic Sui blockchain addresses. It then initiates micro-transactions (sending very small amounts of SUI tokens) from a hard-coded attacker-controlled Sui wallet to these encoded addresses. Because these transactions occur on the public Sui blockchain, the attacker can monitor the blockchain for these micro-transactions, decode the recipient addresses back into the original seed phrases, and gain full control over the victims' wallets. This method effectively hides data exfiltration within normal blockchain activity, making detection difficult. The extension was uploaded to the Chrome Web Store on September 29, 2025, and updated as recently as November 12, 2025, remaining available for download at the time of reporting. The malware dynamically switches blockchain RPC endpoints and chains, evading detection methods that rely on fixed URLs, domains, or extension IDs. Security researchers recommend scanning extensions for mnemonic encoders, synthetic address generators, and suspicious blockchain write operations during wallet import or creation. Users should only use trusted wallet extensions and treat unexpected blockchain RPC calls from browsers as high-risk indicators.

For European organizations and individual users involved in cryptocurrency management, this threat can lead to direct financial losses through theft of Ethereum assets. Since seed phrases provide full access to wallets, compromised users risk losing all stored cryptocurrency. The stealthy exfiltration method complicates detection and response, increasing the window of exposure. Organizations that provide cryptocurrency services, wallets, or manage digital assets may face reputational damage and regulatory scrutiny if their users are affected. The threat also undermines trust in browser-based wallet extensions, potentially impacting adoption of decentralized finance (DeFi) services. Given the extension’s availability on the Chrome Web Store, European users who download and use this extension are at risk. The attack does not require user interaction beyond installation, increasing the likelihood of compromise. Additionally, the use of the Sui blockchain for covert data exfiltration introduces a novel attack vector that may evade traditional security monitoring tools focused on network traffic or domain filtering.

European organizations and users should restrict installation of browser extensions to those vetted and trusted, preferably from official wallet providers with strong reputations. Security teams should implement automated scanning of browser extensions for suspicious behaviors such as mnemonic phrase encoding, synthetic blockchain address generation, and unauthorized blockchain write operations during wallet setup. Monitoring for unusual blockchain RPC calls originating from browsers, especially calls that interact with multiple chains or unexpected endpoints, can provide early detection signals. Endpoint security solutions should be updated to detect and block extensions exhibiting these behaviors. User education campaigns should emphasize the risks of installing unverified wallet extensions and encourage use of hardware wallets or well-established software wallets with open-source codebases. Organizations managing cryptocurrency assets should consider multi-factor authentication and transaction monitoring to detect unauthorized transfers. Finally, collaboration with browser vendors to expedite removal of malicious extensions from official stores is critical.