Malicious ‘Safery’ Chrome Extension Steals Ethereum: Anatomy of a 2025 Infostealer Attack
Executive Summary
In November 2025, cybersecurity researchers identified a malicious Chrome extension named "Safery: Ethereum Wallet," which masqueraded as a legitimate cryptocurrency management tool but was designed to steal users' Ethereum wallet seed phrases. The extension was covertly uploaded to the Chrome Web Store, targeting unsuspecting cryptocurrency holders by promising enhanced security and flexible settings. After users entered their wallet credentials, the extension exfiltrated sensitive seed phrases via transactions on the Sui blockchain, effectively enabling attackers to compromise and drain user wallets. The incident rapidly gained attention due to its stealthy distribution and use of decentralized channels for data exfiltration.
This breach underscores a growing trend of sophisticated infostealers leveraging browser extensions and blockchain-based exfiltration routes to exploit gaps in endpoint and cloud application security. The persistent evolution of phishing and credential theft tactics increases regulatory pressure and demands more robust zero trust and egress policy enforcement across digital ecosystems.
Why This Matters Now
Attackers are increasingly exploiting browser extension marketplaces and leveraging blockchain technologies to bypass traditional security detection. The Safery incident demonstrates an urgent need for organizations and individuals to strengthen controls on third-party extensions, egress monitoring, and east-west traffic security, as threat actors adapt rapidly to emerging opportunities.
Attack Path Analysis
The attack began when users were tricked into installing a malicious Chrome extension impersonating a legitimate Ethereum wallet (Safery), allowing the adversary to gain initial access. The extension harvested sensitive wallet data, granting the attacker access to seed phrases without needing further privilege escalation. No significant lateral movement occurred, as the compromise remained within the user's browser environment. The extension communicated with the attacker's infrastructure for command and control, coordinating seed phrase collection. Exfiltration followed, with sensitive seed phrases being sent out—potentially over unencrypted channels via the Sui blockchain. Ultimately, the impact was theft of cryptocurrency assets as attackers drained victims' wallets using exfiltrated credentials.
Kill Chain Progression
Initial Compromise
Description
Victims installed a malicious Chrome extension from the official Web Store under the guise of a legitimate Ethereum wallet.
MITRE ATT&CK® Techniques
Compromise Software Supply Chain: Compromise Software Dependencies and Development Tools
Compromise Client Software Binary
Phishing: Spearphishing Attachment
Browser Extensions
Credentials from Password Stores: Credentials from Web Browsers
Exfiltration Over C2 Channel
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Exploitation for Credential Access
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Credential Management for Users and Applications
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy and Procedures
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 8
CISA Zero Trust Maturity Model 2.0 – Credential and Authentication Security
Control ID: Identity - Credential & Authentication Protection
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Chrome extension infostealer targeting Ethereum wallets poses severe cryptocurrency theft risks, requiring enhanced egress security and zero trust segmentation controls.
Banking/Mortgage
Malicious browser extensions threaten digital banking security, necessitating encrypted traffic monitoring and anomaly detection for customer financial data protection.
Investment Banking/Venture
Cryptocurrency wallet theft attacks endanger institutional digital asset management, demanding multicloud visibility and threat detection for investment portfolio security.
Computer/Network Security
Seed phrase exfiltration via fake security extensions highlights browser-based attack vectors requiring inline IPS and cloud native security fabric implementations.
Sources
- Fake Chrome Extension “Safery” Steals Ethereum Wallet Seed Phrases Using Sui Blockchainhttps://thehackernews.com/2025/11/fake-chrome-extension-safery-steals.htmlVerified
- Fake Chrome Extension 'Safery' Steals Ethereum Wallet Seed Phraseshttps://cyberwarzone.com/2025/11/15/fake-chrome-extension-safery-steals-ethereum-wallet-seed-phrases/Verified
- Fake Crypto Wallet Ranks Fourth on Chrome Web Store While Stealing User Fundshttps://bravenewcoin.com/insights/fake-crypto-wallet-ranks-fourth-on-chrome-web-store-while-stealing-user-fundsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress controls, behavioral anomaly detection, and encrypted traffic enforcement would have restricted malicious communications, detected abnormal exfiltration attempts, and limited attacker access to sensitive data even in the event of social engineering compromise.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of extension-related anomalies within cloud-managed or VDI environments.
Control: Zero Trust Segmentation
Mitigation: Limited extension’s lateral access to sensitive resources and enforced least-privilege policy.
Control: East-West Traffic Security
Mitigation: Prevention of potential pivoting within enterprise or multi-cloud assets.
Control: Cloud Firewall (ACF) & Egress Security & Policy Enforcement
Mitigation: Blocked outbound connections to malicious domains and unauthorized data transfer attempts.
Control: Encrypted Traffic (HPE) & Egress Security & Policy Enforcement
Mitigation: Detection and prevention of unencrypted or suspicious data exfiltration.
Rapid detection and incident notification of asset compromise.
Impact at a Glance
Affected Business Functions
- Cryptocurrency Wallet Management
- Financial Transactions
Estimated downtime: N/A
Estimated loss: $500,000
The incident led to the exposure of users' Ethereum wallet seed phrases, granting attackers full access to victims' cryptocurrency assets. This resulted in unauthorized transactions and significant financial losses for affected individuals.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust network segmentation and least privilege for all user-accessible browser sessions—limit extension access to sensitive data paths.
- • Deploy anomaly detection and threat intelligence solutions for continuous monitoring of browser behavior and cloud egress patterns.
- • Implement granular egress filtering to block unauthorized extension communications, including suspicious blockchain and HTTP(S) traffic.
- • Require baseline encryption for all outbound data, alerting on attempts to send unencrypted sensitive information.
- • Establish incident response automation that provides real-time alerts and remediation for credential exfiltration or anomalous transaction activity.
