Malicious 'Safepal Wallet' Firefox add-on stole cryptocurrency (2024)

A malicious Firefox add-on named "Safepal Wallet" scammed users by emptying out their wallets and lived on the Mozilla add-ons store for seven months.

Safepalis a cryptocurrency wallet application capable of securelyholdingmore than 10,000 types ofassets, including Bitcoin, Ethereum, and Litecoin.

Although the malicious browser add-on has been taken down, BleepingComputer has seen the phishing website set up by the threat actors is still up.

$4,000 lost to maliciousFirefox add-on

"Today I browsed [through] the add-on list of Mozilla Firefox, I was searching for Safepal wallet extensionto use my cryptocurrency wallet also in the web browser," explains a Mozilla add-ons user who goes by the name, Cali.

Little did Cali know what was coming for them. A few hours after installing and logging in to the add-onwith their real Safepal credentials, the user saw their wallet balance drop to $0.

"I was deep in shock... I saw my last transactions and saw that [$4,000 of my funds]were transferred to another wallet. I could not believe it [was an] add-on that is deployed in the add-on list of Mozilla Firefox," continuesthe user in Mozilla's support forum.

The add-on page for 'Safepal Wallet', seen by BleepingComputer, stated the add-onwas up since at least February 16th, 2021.

On the same page, the 235 KB add-on touts itself to bea Safepal application that securely "saves private keylocally," along withconvincing product imagesandmarketing materials.

To publishan add-on on Mozilla's website, developers are required to follow a submission processthat states submitted add-ons are "subject to review by Mozilla at any time." But, it isn't clear to what extent are submissions reviewed with regards to their safety.

Within five days of Cali's public report of the incident this month, a Mozilla spokesperson responded that they were investigating.The page has since beenremoved by Mozilla.

Although Safepal has officialsmartphoneapps available on bothApple AppStore and Google Play, we arenot aware of there being authentic 'Safepal' browser extensions.

Thankfully, on Mozilla add-ons store, someusers had posted one-star reviews warning others not to download 'Safepal Wallet':

But, for Cali, it seems a little too late in the game, and the chances of themgetting their funds back are bleak.

"I already talked with the police they can do nothing for me. They told me that there is no way they can trace the hacker. The only solution is left for me is maybe some of you can help me out by figuring out who the hacker was and how I can get my funds back," states the user.

BleepingComputer reached out to Mozilla to learn more about the issue:

"Extension security is important to Mozilla, and our ecosystem continually responds to changing threats," aMozilla spokesperson told BleepingComputer.

"Our recent focus has been on limiting the damage malicious extensions can do, helping users discover Recommended Extensions that we vet and monitor, helping users understand the risks that come with installing extensions, and making it easier for users to report potentially malicious extensions to us."

"When we become aware of add-ons that pose a risk to security and privacy according to our Add-on Policies, we take steps to prevent them from running in Firefox. In this instance, shortly after we became aware of potential abuse by this extension, we took action to block and remove it from the Firefox Add-on store."

"Users should be especially cautious about installing software that might have access to private information or financial resources."

'Safepal' phishing domainstill up, collecting recovery phrases

While investigating the malicious Firefoxadd-on, BleepingComputer came across the phishing domain used by the add-on. Thiswebpage, shown below,was also listed asthe "support site" link on the fake add-on's home page:

https://safeuslife.com/tool/

WHOIS recordsindicate the phishing site was registeredin January this year viaNamecheap. At the time of writing, the webpage is still liveand instructs the victim to key intheir "12-word Backup Phrase in the correct order to pair your SafePal Wallet."

But once the recovery phrase is entered and the form is submitted, the page simply refreshes without any noticeable response.The recovery phrase is silently sent to the attacker.

Cryptocurrency wallets, like many online services, use abackup phrase consisting of twelve randomly generated wordsthat can be used forrecovering the user's private key and wallet, shouldthey forget their password. But, the recovery phrase isa crucial secretmeant to be used under exceptionalcirc*mstances and only on thetrusted app or websiteof the service provider.

A stolen recovery phrase can grant attackers control over your wallet along with the ability to access andtransfer funds.

In recent times, cryptocurrency scams are growing, with threat actors are finding innovative and hard-to-detect ways to trick users. Just last week, someonehacked the official Bitcoin.org websiteandsuccessfully scammedvisitors for $17,000.

In previously seen attacks, open-source repositories, including npm, PyPI, and GitHub have been abused for spreading both cryptostealing and cryptomining malware.

With the increasing presence of threat actors on online platforms, users should be careful when providing their security phrases or transferringcryptocurrencyonline.

Mozilla additionallyrecommendsthe following steps for assessing the safety of any browser extension:

BleepingComputer has reached out toSafepalforcomment and we are awaiting their response. We have also reported the phishing domain in question to Namecheap.

Update, Sep 28th, 00:16: Added statement received from Mozilla after publishing.