Overview
- The Chrome Web Store listing was uploaded on September 29, updated on November 12, and remained available on November 14, ranking fourth for “Ethereum Wallet.”
- During wallet creation or import, the code encodes the BIP-39 words into synthetic Sui-style addresses and sends 0.000001 SUI from an attacker-controlled mnemonic.
- Attackers monitor the public ledger and decode recipient addresses to reconstruct the exact seed phrase, enabling full takeover of affected wallets.
- Socket’s Threat Research Team disclosed the behavior and Koi Security independently confirmed it, publishing technical indicators and guidance for defenders.
- Google has been asked to pull the listing and suspend the publisher tied to a Gmail account, as researchers urge users to install only vetted wallets and to flag extensions that write on-chain or make unexpected blockchain RPC calls.