When creating a new wallet or importing an existing one, the extension decodes the user's mnemonic phrase (a 12-24-word seed phrase) into synthetic Sui network hex addresses, and then sends microtransactions of 0.000001 SUI to these addresses to create the appearance of compliance with network rules.

"To outside observers, it looks like microtransactions to arbitrary recipients, but in reality, destination addresses are fragments of a user's mnemonic phrase. Using the same decoder built into the extension, the attacker recovers the initial phrase word by word and gains full control over the victim's wallet. The disclosure of seed phrases occurs exclusively within the framework of ordinary blockchain traffic," the security experts explained.

This scheme of stealing confidential data allows attackers to bypass traditional detection systems using domains, URLs, or specific extension identifiers, Socket experts added.

Earlier, Mosyle cybersecurity experts reported on the ModStealer virus, which steals crypto wallet data from Windows, Linux, and macOS devices.