Owners of hardware Trezor cryptocurrency wallets should be on their guard after an email was sent out by thieves attempting to dupe them into downloading new software to their devices.
The emails claim that Trezor, which has been making physical USB-connected devices to protect the cryptocurrency and tokens of users since 2014, “experienced a security incident” yesterday that breached the data of 106,856 of its customers.
Here’s a screenshot of the email, which has the subject line “Your Trezor Suite might be compromised”:
Part of the email reads:
At this moment, it’s technically impossible to accurately assess the scope of the data breach. Due to these circumstances, if you’ve recently accessed your wallet using Trezor Suite, we must assume that your cryptocurrency assets are at risk of being stolen.
However, in reality, the email is not from Trezor at all – but is instead an attempt to dupe unsuspecting owners of Trezor devices into downloading a bogus version of the company’s desktop suite software from a lookalike website.
If you were unfortunate enough to click on the link offered in the email you would find yourself taken to:
Notice anything odd about that? Take a closer look.
Now you’ll hopefully notice that there is an underdot under the letter “e” in “trẹzor” in that URL. And that means you’re not going to the real Trezor website (which is at
https://trezor.io – the real domain is not even .com!)
This is known as a unicode domain phishing attack.
So, don’t trust the email. Don’t click on the link. The genuine Trezor Suite doesn’t ask you for your wallet’s private keys and doesn’t store them online, but who knows what this bogus software might ask you to do.
If you do want to update your Trezor’s firmware or desktop software, go to the official Trezor website instead.
One question remains – how did the malicious email get sent to so many Trezor customers? Is it possible Trezor, or one of its marketing partners, has suffered a security breach that has exposed members of its mailing list?
Trezor says it is investigating whether an opt-in mailing list it runs at MailChimp may have been breached. That would certainly explain how Trezor customers were targeted.
Sources inside Trezor tell me that this “was an inside job by a MailChimp rogue employee.”
That’s how they targeted Trezor users in this highly-convincing attack.
Hear more views on this incident in this episode of the award-winning “Smashing Security” podcast, with me, Carole Theriault, and special guest Zoë Rose.