Owners of hardware Trezor cryptocurrency wallets should be on their guard after an email was sent out by thieves attempting to dupe them into downloading new software to their devices.
The emails claim that Trezor, which has been making physical USB-connected devices to protect the cryptocurrency and tokens of users since 2014, “experienced a security incident” yesterday that breached the data of 106,856 of its customers.
Here’s a screenshot of the email, which has the subject line “Your Trezor Suite might be compromised”:
Part of the email reads:
At this moment, it’s technically impossible to accurately assess the scope of the data breach. Due to these circumstances, if you’ve recently accessed your wallet using Trezor Suite, we must assume that your cryptocurrency assets are at risk of being stolen.
However, in reality, the email is not from Trezor at all – but is instead an attempt to dupe unsuspecting owners of Trezor devices into downloading a bogus version of the company’s desktop suite software from a lookalike website.
If you were unfortunate enough to click on the link offered in the email you would find yourself taken to: https://suite.trẹzor.com
Notice anything odd about that? Take a closer look.
Now you’ll hopefully notice that there is an underdot under the letter “e” in “trẹzor” in that URL. And that means you’re not going to the real Trezor website (which is at https://trezor.io – the real domain is not even .com!)
This is known as a unicode domain phishing attack.
So, don’t trust the email. Don’t click on the link. The genuine Trezor Suite doesn’t ask you for your wallet’s private keys and doesn’t store them online, but who knows what this bogus software might ask you to do.
If you do want to update your Trezor’s firmware or desktop software, go to the official Trezor website instead.
One question remains – how did the malicious email get sent to so many Trezor customers? Is it possible Trezor, or one of its marketing partners, has suffered a security breach that has exposed members of its mailing list?
Update:
Trezor says it is investigating whether an opt-in mailing list it runs at MailChimp may have been breached. That would certainly explain how Trezor customers were targeted.
Sources inside Trezor tell me that this “was an inside job by a MailChimp rogue employee.”
That’s how they targeted Trezor users in this highly-convincing attack.
Hear more views on this incident in this episode of the award-winning “Smashing Security” podcast, with me, Carole Theriault, and special guest Zoë Rose.
Smashing Security #269: 'Trezor Deep Throat, a CCTV stalker, and Amazon's list of banned words'
Listen on Apple Podcasts | Spotify | Google Podcasts | Pocket Casts | Other... | RSS
More episodes...
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
Cheer`s, it what I thought, confirmed.
clicked on link to see if the site looked dodgy, looks like it halfway downloaded the so-called 'new update' or whatever.
not connected trezor or been asked for any info. / seed etc.
what should i do now to get this potential malware off ?
I fell for it. It immediately drained 90% of everything in my Trezor wallet. What do I do now?
If funds have been taken from your wallet then there may not be much you can do at all… other than be grateful it wasn't 100%… :(
I think my Trezor wallet has been hacked. I tried logging into my account yesterday. I could no log in. I clicked on what I thought was a recovery site. It had a chat option. I put my phone number in the chat. A form came up to place my 24 word recovery names in.. I did this twice along with my pin number. Someone called me with an Indian accent said he couldn't help me. He knew how much was in my account. He said my account had been crashed. Then silence. What can I do to recover my account?
You tell people not to follow links in email but helpfully link to the "official Trezor website". For all we know, that link could be malicious. After all, I don't know you. Train people the right way. Tell them to Google it then bookmark it.
Although there have also been plenty of occasions where cybercriminals have poisoned search engine results – or bought ads on search engines – to direct unsuspecting users to fake websites as well.
Nothing's easy is it?
Using a third-party-service (MailChimp) for their newsletter was not a great idea, especially when handling sensitive information.
I Checked out their domain trezor.io with uBlock Origin, and it's full of third-party-services. Ideally, only trezor.io and sub-domains should be listed:
trezor.io
shop.trezor.io
adform.net
track.adform.net
ads-twitter.com
static.ads-twitter.com
akadns.net
track-eu.adformnet.akadns.net
track.adform.net
edgecastcdn.net
cs41.wac.edgecastcdn.net
platform.twitter.com
facebook.net
connect.facebook.net
fbcdn.net
scontent.xx.fbcdn.net
connect.facebook.net
google-analytics.com
www.google-analytics.com
google.com
www-google-analytics.l.google.com
www.google-analytics.com
www-googletagmanager.l.google.com
www.googletagmanager.com
googletagmanager.com
www.googletagmanager.com
twitter.com
platform.twitter.com
twitter.map.fastly.net
platform.twitter.map.fastly.net
static.ads-twitter.com
I was beside myself with panic but checked the email properties and saw .us where I was expecting .io! I then did a google search of the mail subject line and found this post of yours… Thanks so much for putting my mind at rest and I truly feel for anyone that fell for this despicable scam…
Thank you for the heads up. We need to stay aware of the bad players out there.
Got the email, but did not fall for it. Went to trezor.io to update trezor suite.
A long time IT security "expert" and I fell for this hook-line and sinker. Fortunately for me the device I read the email on wasn't the device I use for accessing my Trezor so I didn't click the link. I updated Trezor Suite from Trezor Suite and then changed my PIN just in case.
My excuse for falling for this is that I am terrified everytime I connect my Trezor, firmware updates are always problematic and I'm always expecting to see a zero balance!
What caught my attention in the podcast (though I may have missed something in the blog post) is that Trezor is totally absolved. People pay a premium for hardware wallets, mostly for the security benefits. If any software installed on the desktop can break this security, this is (excuse my French) a total scam. There's a *lot* they could do (e.g. a screen on the HW token, an on-board approve button, even as simple as a beep+delay) and yet the Trezor product quietly lets malware empty out the wallet.
I had all my coins stolen from my Trezor even tho i had not connected it for a few months how did this happen as when i contacted Trezor they where not helpful at all just told me to contact authorities even tho my money had been sent to binance account when i contacted binance to tell them they found the account and said my money had been withdrawn and are not willing to get me it back even tho they no who has taken it is this against the law or legal