Overview
- Socket reported that the Chrome Web Store listing, uploaded on September 29 and updated on November 12, remained available as of November 13.
- The extension encodes BIP-39 mnemonics into synthetic Sui-style addresses and sends 0.000001 SUI from a hardcoded attacker wallet to exfiltrate the seed.
- Attackers monitor the Sui blockchain, decode recipient addresses, and can reconstruct victims’ seed phrases to drain assets, a finding Koi Security corroborated.
- Researchers asked Google to remove the listing and suspend the publisher account linked to a Gmail address, noting it ranks fourth for “Ethereum Wallet” searches.
- Security guidance urges users to install only vetted wallets and advises defenders to block extensions that write on-chain during setup and to scan for mnemonic encoders or hard-coded secrets.