Verify a decision

{"actor":"system:backfill","investigation_id":"148af5d8-1215-4b97-81fe-a7a89e0352c1","kind":"publish","page_slug":"safepal","published_at":"2026-05-19T19:14:05.615Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"SafePal","sections":[{"content":"SafePal was founded in 2018 by Veronica Wong, who previously worked at Tencent. The company was incubated by Binance Labs (now YZi Labs) in December 2018, making it the first hardware wallet to receive Binance investment. SafePal launched its S1 hardware wallet in May 2019. In February 2021, Binance Launchpad hosted a token sale for SafePal's native utility token (SFP), raising $5 million from approximately 47,286 participants with a 164x oversubscription. The SFP token trades as a BEP-20 asset on Binance Smart Chain and can be used to purchase SafePal products at a discount. Additional investors include Animoca Brands and SuperScrypt. The Binance Labs relationship provides SafePal with significant distribution and credibility within the Binance ecosystem, but also raises concerns about conflicts of interest and whether independent security audits have been conducted at arm's length.","heading":"Company Background and Binance Backing","severity":"low","sources":[{"credibility":1,"name":"Binance Launchpad: Introducing SafePal (SFP) Token Sale","type":"official","url":"https://www.binance.com/en/support/articles/3a599775d4474e299c3aed3455e12478"},{"credibility":1,"name":"YZi Labs: Seven Years of Backing Long-Term Builders","type":"official","url":"https://www.yzilabs.com/blog/from-binance-labs-incubator-to-easy-residency-seven-years-of-backing-long-term-builders"},{"credibility":2,"name":"IQ.wiki: SafePal Dapps Entry","type":"research","url":"https://iq.wiki/wiki/safepal"}]},{"content":"A fake browser extension named 'Safepal Wallet' was listed on the official Mozilla Firefox Add-ons store from at least February 16, 2021, and remained live for approximately seven months before removal. The extension had no affiliation with the legitimate SafePal company. SafePal has never released an official Firefox extension, making any such listing a clear impersonation. The malicious add-on directed users to a phishing domain (safeuslife.com), where victims were prompted to enter their 12-word seed recovery phrase under the pretense of pairing their hardware wallet. Recovery phrases were silently transmitted to the attacker upon form submission, granting full wallet access. At least one user publicly reported losing approximately $4,000 in cryptocurrency within eight hours of installing the extension. Mozilla removed the extension after community reports, though the phishing domain remained operational at the time of reporting. SafePal published an official scam alert on September 30, 2021, warning users about the incident. No aggregate total of losses from the extension has been published by any credible source.","heading":"Malicious Firefox Extension (2021)","severity":"high","sources":[{"credibility":1,"name":"BleepingComputer: Malicious Safepal Wallet Firefox add-on stole cryptocurrency","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/malicious-safepal-wallet-firefox-add-on-stole-cryptocurrency/"},{"credibility":2,"name":"Heimdal Security: Malicious Safepal Wallet Add-On Goes After Cryptocurrency","type":"news_article","url":"https://heimdalsecurity.com/blog/malicious-safepal-wallet-add-on-goes-after-cryptocurrency/"},{"credibility":3,"name":"Mozilla Discourse: Got hacked by the add-on called Safepal Wallet","type":"community_report","url":"https://discourse.mozilla.org/t/got-hacked-by-the-add-on-called-safepal-wallet/85797"},{"credibility":1,"name":"SafePal Official Scam Alert (September 2021)","type":"official","url":"https://www.safepal.com/en/blog/scam-alert-beware-of-malicious-safepal-wallet-applications"},{"credibility":2,"name":"TechRadar: This malicious Firefox extension will drain your crypto wallet","type":"news_article","url":"https://www.techradar.com/news/this-malicious-firefox-extension-will-drain-your-crypto-wallet"}]},{"content":"On February 16, 2021, Kraken Security Labs published a security audit of the SafePal S1 hardware wallet, disclosing three categories of vulnerabilities discovered in November 2020. First, the device's tamper-detection mechanism was found to be ineffective: researchers bypassed the claimed self-destruct and data-erasing feature by reconnecting a single RF shield clip to ground using a wire, after which data was not erased as intended. This is significant because the SafePal S1 is marketed partly on its tamper-resistance. Second, researchers demonstrated a firmware downgrade attack, successfully reverting the device from firmware v1.0.18 to v1.0.17 without detection, potentially enabling exploitation of older vulnerabilities. SafePal issued a patch in firmware v1.0.24. Third, SafePal allegedly included GPLv2-licensed components (U-Boot and Linux Kernel) in its firmware without providing the required source code, a potential open-source licensing violation. Kraken noted that none of these vulnerabilities were fully exploited in their testing, but collectively they undermined the security guarantees the product advertises. SafePal's response to the GPL violation allegation was not publicly documented.","heading":"Hardware Security Flaws (Kraken Security Labs, 2020-2021)","severity":"high","sources":[{"credibility":1,"name":"Kraken Security Labs: Flaws in SafePal S1 Hardware Wallet","type":"research","url":"https://blog.kraken.com/product/security/kraken-security-labs-finds-flaws-in-safepal-s1-hardware-wallet"}]},{"content":"In June 2025, blockchain security firm SlowMist documented a case in which a cryptocurrency investor lost approximately $6.5 to $7 million after purchasing a tampered cold wallet via Douyin Shop, the e-commerce feature of Douyin (China's version of TikTok). The device was advertised as factory-sealed and offered at a discounted price. According to SlowMist, the wallet's private key was 'compromised at creation,' meaning the seed phrase was known to the attacker before the device was ever delivered. Funds were drained within hours of deposit. SlowMist tracked the stolen funds being laundered through Huiwang, a Cambodian network connected to Huione Pay, Huione Crypto, and the darknet market Haowang Guarantee, and stated that 'recovery is unlikely.' The victim was described as someone closely associated with Bitmain co-founder Jihan Wu. SlowMist's chief information security officer (X: 23pds) publicly warned: 'Don't gamble your entire fortune on a wallet that's a few hundred bucks cheaper.' While this incident involves a device branded or sold as a SafePal product, the tampering appears to have occurred through an unauthorized third-party seller in the Douyin marketplace, not through SafePal's official supply chain. SafePal publicly recommends purchasing exclusively through official channels.","heading":"Douyin (Chinese TikTok) Tampered Hardware Wallet Scam (2025)","severity":"critical","sources":[{"credibility":1,"name":"CoinTelegraph: Crypto investor loses $6.9M to sketchy cold wallet","type":"news_article","url":"https://cointelegraph.com/news/crypto-investor-loses-6m-douyin-cold-wallet-scam"},{"credibility":2,"name":"CryptoTimes: Crypto Scam Costs User $7 Million via Fake Cold Wallet on Douyin","type":"news_article","url":"https://www.cryptotimes.io/2025/06/16/crypto-scam-costs-user-7-million-via-fake-cold-wallet-on-douyin/"},{"credibility":2,"name":"Outposts.io: SafePal User Loses $6.5M to Tampered Cold Wallet Scam","type":"news_article","url":"https://outposts.io/article/safepal-user-loses-dollar65m-to-tampered-cold-wallet-scam-8a1a75b9-3c7e-485e-80a9-54e6a6b18d6b"},{"credibility":2,"name":"Analytics Insight: Crypto Investor Loses $6.9M in Douyin Cold Wallet Scam","type":"news_article","url":"https://www.analyticsinsight.net/news/crypto-investor-loses-69m-in-douyin-cold-wallet-scam-are-discounted-devices-safe"}]},{"content":"In March 2026, on-chain investigator ZachXBT flagged a case in which a Kraken user lost $18.2 million in a suspected social engineering attack. ZachXBT noted that the threat actor began moving stolen funds approximately 45 minutes after compromise, bridging 878 ETH to Bitcoin via THORChain using a SafePal wallet as a transaction conduit. SafePal was not the target or subject of the investigation; the wallet was used as an intermediate step to obscure the flow of stolen funds. No comment from SafePal was recorded in coverage of this incident. ZachXBT has also documented at least one separate case in which a scammer impersonating a Binance customer support representative instructed a victim to set up a SafePal wallet and transfer crypto assets to it, falsely claiming the victim's account was under investigation. In both instances, SafePal's involvement was as an unwitting tool rather than as an active participant in the fraud.","heading":"ZachXBT Flagging: SafePal Used in Fund Laundering (2026)","severity":"medium","sources":[{"credibility":2,"name":"BeInCrypto: Kraken User Drained in Suspected Social Engineering Heist","type":"news_article","url":"https://beincrypto.com/kraken-user-18m-social-engineering-thorchain/"},{"credibility":2,"name":"CoinEdition: Kraken User Loses $18.2M; Funds Moved via THORChain","type":"news_article","url":"https://coinedition.com/kraken-user-loses-18-2m-in-social-engineering-scam-funds-moved-via-thorchain/"}]},{"content":"An unconfirmed report published by Startup Fortune described a case in which a customer alleged that scammers contacted them with their full name, home address, order details, number of devices purchased, device model, delivery address, and payment method — all tied to SafePal S1 hardware wallet purchases made directly from SafePal's official website. SafePal responded that it does not retain payment details or personal information because it operates as a decentralized wallet, and stated it would investigate any indications of data compromise. As of public reporting, SafePal has not confirmed an official breach or disclosed a number of affected users. The public claim does not allege exposure of seed phrases or private keys. However, a leaked physical address linked to a crypto hardware wallet purchase creates meaningful downstream risks including targeted phishing, intimidation, and SIM-swapping. This claim is rated low confidence due to lack of corroborating Tier 1 sources.","heading":"Alleged Customer Data Leak","severity":"medium","sources":[{"credibility":3,"name":"Startup Fortune: SafePal faces a trust test after a reported customer data leak","type":"news_article","url":"https://startupfortune.com/safepal-faces-a-trust-test-after-a-reported-customer-data-leak/"}]},{"content":"SafePal has published multiple official warnings about impersonation campaigns targeting its users. Documented vectors include: fake SafePal support accounts on Telegram, Twitter/X, YouTube, Facebook, TikTok, and Discord soliciting seed phrases; counterfeit SafePal websites designed to harvest credentials; fake customer service representatives instructing users to 'verify' or 'upgrade' wallets; and phone calls impersonating SafePal staff. SafePal states it provides support only through official website support tickets and will never contact users via social media direct messages or unsolicited calls. The prevalence of these campaigns reflects the platform's large user base (claimed 10 million users) and its association with Binance, which gives impersonators a high-trust hook.","heading":"Ongoing Impersonation and Social Engineering Vectors","severity":"medium","sources":[{"credibility":1,"name":"SafePal Official: How Scammers Exploit Blockchain Transparency","type":"official","url":"https://www.safepal.com/en/blog/how-scammers-exploit-blockchain-transparency"},{"credibility":1,"name":"SafePal Official: Tron Multi-Sig Scams","type":"official","url":"https://www.safepal.com/en/blog/tron-multisig-scam"},{"credibility":1,"name":"SafePal Blog: Safety Guides — How to Report Scammers and Fake Content","type":"official","url":"https://blog.safepal.com/safety-guides-how-to-report-scammers-and-fake-contents/"}]}],"sources_used":[],"summary":"SafePal is a hardware and software cryptocurrency wallet founded in 2018 by Veronica Wong and incubated by Binance Labs, with over 10 million claimed users. The platform has been surrounded by multiple serious security incidents including a malicious Firefox extension that impersonated the wallet for seven months in 2021, a Binance-backed Launchpad token (SFP), hardware vulnerabilities disclosed by Kraken Security Labs, and a $6.5–7 million theft linked to a tampered hardware wallet sold via the Chinese platform Douyin (TikTok China). SafePal itself has not been hacked directly, but its brand has been repeatedly exploited by third-party threat actors, and ZachXBT has documented its wallets appearing in fund-laundering flows.","timeline":[{"date":"2018-01-01","event":"SafePal founded by Veronica Wong and co-founders.","source":"IQ.wiki / SafePal About Page","source_url":"https://iq.wiki/wiki/safepal"},{"date":"2018-12-01","event":"SafePal incubated by Binance Labs.","source":"YZi Labs Blog","source_url":"https://www.yzilabs.com/blog/from-binance-labs-incubator-to-easy-residency-seven-years-of-backing-long-term-builders"},{"date":"2019-05-01","event":"SafePal S1 hardware wallet launched.","source":"IQ.wiki / SafePal About Page","source_url":"https://iq.wiki/wiki/safepal"},{"date":"2020-11-18","event":"Kraken Security Labs discovers tamper-detection bypass, firmware downgrade vulnerability, and GPL violations in SafePal S1.","source":"Kraken Security Labs Blog","source_url":"https://blog.kraken.com/product/security/kraken-security-labs-finds-flaws-in-safepal-s1-hardware-wallet"},{"date":"2021-02-16","event":"Malicious 'Safepal Wallet' Firefox extension appears on Mozilla Add-ons store; Kraken Security Labs publishes S1 vulnerability report.","source":"BleepingComputer / Kraken Blog","source_url":"https://www.bleepingcomputer.com/news/security/malicious-safepal-wallet-firefox-add-on-stole-cryptocurrency/"},{"date":"2021-02-01","event":"Binance Launchpad hosts SafePal (SFP) token sale; 164x oversubscribed, raising $5 million.","source":"Binance Support","source_url":"https://www.binance.com/en/support/articles/3a599775d4474e299c3aed3455e12478"},{"date":"2021-09-01","event":"Mozilla removes malicious 'Safepal Wallet' Firefox extension after approximately seven months online.","source":"BleepingComputer","source_url":"https://www.bleepingcomputer.com/news/security/malicious-safepal-wallet-firefox-add-on-stole-cryptocurrency/"},{"date":"2021-09-30","event":"SafePal publishes official scam alert warning about the Firefox extension and other impersonation vectors.","source":"SafePal Official Blog","source_url":"https://www.safepal.com/en/blog/scam-alert-beware-of-malicious-safepal-wallet-applications"},{"date":"2025-06-14","event":"SlowMist receives emergency report: investor loses approximately $6.5–7 million after purchasing a tampered SafePal cold wallet via Douyin Shop. Private key was compromised at creation; funds drained within hours.","source":"CryptoTimes / Outposts.io / CoinTelegraph","source_url":"https://www.cryptotimes.io/2025/06/16/crypto-scam-costs-user-7-million-via-fake-cold-wallet-on-douyin/"},{"date":"2026-03-31","event":"ZachXBT flags that a Kraken user who lost $18.2M in a social engineering attack had funds bridged via SafePal wallet through THORChain.","source":"BeInCrypto","source_url":"https://beincrypto.com/kraken-user-18m-social-engineering-thorchain/"}]},"v":1}