A dangerous fake crypto wallet has been sitting in fourth place on Google’s Chrome Web Store search results, stealing seed phrases from unsuspecting users through a clever blockchain-based attack method.
The malicious extension called “Safery: Ethereum Wallet” appears legitimate at first glance. It ranks just behind trusted wallets like MetaMask when users search for “Ethereum Wallet” on the Chrome store. However, security researchers have discovered it contains hidden code designed to steal cryptocurrency from anyone who uses it.
How the Scam Works
The fake wallet uses a sophisticated method to steal user seed phrases. When someone creates a new wallet or imports an existing one, the extension secretly encodes their 12 or 24-word seed phrase into fake Sui blockchain addresses.
The malicious code then sends tiny transactions worth 0.000001 SUI tokens to these encoded addresses. To outside observers, these look like normal blockchain activity. But the attackers can decode these transactions to recover the victim’s complete seed phrase and gain full control of their crypto wallet.
Source: socket.dev
Socket’s security team discovered this extension and explained how it works. “The mnemonic leaves the browser concealed inside normal looking blockchain transactions,” their report states. This makes the theft nearly impossible to detect using traditional security methods.
Warning Signs Users Missed
Several red flags should have warned users away from this fake wallet. The extension has zero user reviews and contains grammatical errors in its description. It also lacks an official website and lists only a Gmail address for developer contact.
The extension was initially uploaded on September 29, 2025, with the most recent update on November 12, 2025. Despite these obvious warning signs, the fake wallet managed to climb to fourth place in search rankings, potentially exposing thousands of users to theft.
Security experts say this high ranking gives the malicious extension “immediate visibility and a veneer of legitimacy to unsuspecting users.” This positioning dramatically increases the chances that people will download and use the fake wallet before discovering its true nature.
Growing Threat to Crypto Users
Browser extension scams represent a growing problem in the cryptocurrency space. Industry data shows that wallet-related scams drained over $500 million in 2024 alone, with browser extensions becoming an increasingly popular attack vector according to industry reports.
The timing of this discovery is particularly concerning. AI-powered crypto tools are becoming more popular, with AI agent tokens growing 222% in late 2024. As more people seek convenient ways to manage their cryptocurrency, they become more vulnerable to fake tools that promise easy solutions.
This fake wallet represents a new level of sophistication in crypto theft. Unlike simple phishing websites that might be obvious scams, this extension appeared in Google’s official store alongside legitimate options. The blockchain-based method of stealing seed phrases is also innovative, using the transparency of blockchain networks against users.
Current Status and Response
As of November 14, 2025, the Safery extension remains available for download on the Chrome Web Store. Socket reported the malicious extension to Google’s security team and requested removal of the publisher account, but the extension has not yet been taken down.
The extension’s continued availability highlights ongoing problems with app store security reviews. While Google has policies in place to prevent malicious software, sophisticated scams like this one can slip through the approval process and remain available for weeks or months.
Security researchers warn that this technique could spread to other blockchain networks. The method works by exploiting the public nature of blockchain transactions, meaning similar attacks could target users of Solana, Ethereum, or other cryptocurrency networks.
How to Stay Safe
Users can protect themselves by following several key security practices. Always research any crypto wallet or extension before installation. Look for established tools with thousands of positive reviews and verified developers.
Legitimate crypto wallets like MetaMask undergo regular security audits by professional firms. They also maintain official websites with detailed documentation and support resources. Fake wallets typically lack these features.
Never share seed phrases with anyone, and be suspicious of any software that asks for your complete seed phrase during normal operation. Legitimate wallets only require seed phrases during initial setup or recovery processes.
Monitor your wallet transactions regularly for any unexpected activity. Even tiny transactions could indicate that your seed phrase has been compromised. Use blockchain explorers to review all incoming and outgoing transactions from your addresses.
Enable two-factor authentication on crypto exchanges and wallet services whenever possible. While this won’t protect against seed phrase theft, it adds an extra security layer for online accounts.
The Digital Wild West Continues
This incident shows that cryptocurrency remains a target-rich environment for scammers. Despite years of warnings about security risks, fake wallets and malicious extensions continue to fool users and steal millions of dollars.
The sophistication of this particular scam – using blockchain transactions to hide stolen data – suggests that attackers are constantly developing new methods to stay ahead of security measures. Users must remain vigilant and stick to well-established, audited tools when managing their cryptocurrency assets.