A browser extension advertised as an Ethereum wallet remained accessible on the Chrome Web Store despite researchers identifying it as a tool designed to steal cryptocurrency. The extension, called Safery, appeared in search results for wallet tools and presented itself as a legitimate option for users seeking to manage digital assets. Security analysts found that Safery had been available for more than a year and was able to collect sensitive information from users who installed it.
Researchers reported that the extension requested access to wallet seed phrases, which are the primary recovery codes for cryptocurrency accounts. Once a user entered the phrase, the extension transmitted the information in encoded form through transactions on the Sui blockchain. The data was embedded within specific transfer addresses linked to the attacker’s wallet. By reconstructing the seed phrase from these transactions, the operator gained full control of the victim’s crypto accounts and could withdraw funds without detection until the account holder noticed the activity.
The extension’s continued presence on the Chrome Web Store raised questions about the effectiveness of marketplace oversight. Users often assume that an extension listed on an official platform has undergone adequate review. In this case, Safery maintained a position among the top results for Ethereum wallet searches, increasing the likelihood that users would install it without verifying its background. Although the listing had been flagged publicly, Safery remained accessible for download at the time of the researchers’ findings.
Risks for crypto users and measures to reduce exposure
Seed phrases represent complete access to a cryptocurrency wallet. When this information is compromised, attackers can transfer assets to external accounts with little resistance. Safery’s method of concealing stolen data within blockchain transactions made the activity difficult to detect even for experienced users. This approach bypassed common security warnings because it did not rely on visible malware or direct network transmission. The extension appeared functional on the surface, which helped conceal its purpose.
Incidents like this highlight the risks associated with browser extensions, particularly those that handle financial tools or private keys. Users rely on these extensions for convenience but may not consider how much access they provide to sensitive information. A malicious extension with permissions to view or modify wallet data poses a significant threat. Even a small number of installs can result in substantial losses if users store large holdings or manage multiple accounts through the compromised platform.
Protecting cryptocurrency accounts requires careful control of both wallet information and browser environments. Users should verify the developer of any extension and check whether it has a transparent history, a consistent update record, or visible engagement from real customers. Extensions with little information about the publisher or those that recently appeared in search rankings should be treated cautiously. Reviews can offer clues, but they are not always reliable because they may be fabricated.
Users should also monitor the permissions requested by an extension. If a wallet tool requests broad access to browser data or permissions unrelated to its core functions, this may indicate suspicious behaviour. Browser settings should be reviewed regularly to remove unused extensions and limit exposure. Creating a separate browser profile for crypto activity can reduce risk by isolating financial tools from general browsing.
For users who store substantial digital assets, hardware wallets offer greater security. Hardware devices prevent seed phrases from being exposed in a browser window or extension interface. They store the recovery phrase offline, which reduces the risk posed by malicious software. Browser-based tools may still be used for small transactions or testing, but sensitive information should not be entered into extensions from unknown sources.
Marketplaces that distribute browser extensions face ongoing challenges in identifying and removing malicious listings. The Safery case shows how easily a harmful extension can remain online and attract users through search results. Until automated and manual review processes improve, users cannot assume that a listing is safe solely because it appears in an official store. A cautious approach, combined with regular account monitoring, remains essential for anyone managing digital assets.