Malicious Chrome Extension Exfiltrates Seed Phrases, Enabling Wallet Takeover

Socket's Threat Research Team has identified a malicious Chrome extension called Safery: Ethereum Wallet, which masquerades as a secure Ethereum wallet but contains a backdoor that exfiltrates users' seed phrases. This is achieved by encoding the BIP-39 mnemonic into synthetic Sui addresses and sending microtransactions from a threat actor-controlled Sui wallet, allowing the threat actor to reconstruct the original mnemonic and potentially drain the user's assets. The extension, which appears legitimate alongside popular wallets like MetaMask on the Chrome Web Store, uses blockchain transactions to conceal the mnemonic exfiltration without HTTP traffic or a central control server. This method allows threat actors to switch between different blockchain networks with ease, making it difficult to detect using traditional methods. Recommendations include using only trusted wallet extensions, monitoring unexpected blockchain RPC calls, and employing tools like Socket's Chrome extension protection to detect and block risky behaviors.