Covid-19 pandemic has turned the world upside down in the last year and a half, leaving us with no option but to rely more on digital solutions – from using food delivery to online banking. Needless to say, the more one relies on the digital world, the more vulnerable one becomes to online scams. 

Now, scammers are targeting cryptocurrency users via a Firefox add-on named after SafePal. Dozens of Firefox users have fallen prey to an add-on masquerading as a valid extension of the SafePal cryptocurrency hardware wallet. What’s surprising is that this malicious add-on has lived on Mozilla’s Firefox web browser for almost seven months. 

SafePal is a cryptocurrency wallet application capable of safely holding over 10,000 asset types, including Bitcoin, Ethereum, and Litecoin. It is backed by Binance and it is now being used by over 2 million users in over 146 countries across the globe. While Safepal has official smartphone apps available on both the Apple AppStore and Google Play, no genuine Safepal extensions are known to exist for the Firefox browser. 

The issue was highlighted by one of the victims, named Cali, in Firefox support group. “Today I browsed true the add-on list of Mozilla Firefox I was searching for Safepal wallet extension to use my cryptocurrency wallet also in the web browser. So, my searching ended on the following page: https://addons.mozilla.org/nl/firefox/addon/safepal-wallet/ 22,” she wrote on the support page.

“8 hours later I checked if my funds were still saved on my phone software wallet also from Safepal I saw nothing $0,- balance I was deep in shock I saw my last transactions and saw that my funs ($4000),” she added.

As reported on the Safepal Wallet home page, the add-on was released on 16 February 2021. The same page says that the 235 KB add-on is a Safepal application that securely “saves private key locally.” It also has product images and convincing-looking marketing materials.

In order to publish an add-on on Mozilla’s website, developers are required to follow a thorough submission process. Firefox’s developer platform says that the submitted add-ons are “subject to review by Mozilla at any time.” However, the extent of such a review isn’t specified, nor has Mozilla explained how the fake add-on managed to get listed. 

Fortunately, Mozilla Firefox has taken down the extension. “When we become aware of add-ons that pose a risk to security and privacy according to our Add-on Policies, we take steps to prevent them from running in Firefox. In this instance, shortly after we became aware of potential abuse by this extension, we took action to block and remove it from the Firefox Add-on store,” a Mozilla spokesperson stated.