Trezor fell victim to a phishing campaign this weekend. The company said it was already investigating the matter and warned users against opening suspicious emails.
It all started when several users reported on Twitter that they had received emails asking them to download the app from the “trezor.us” domain. Trezor’s official domain, however, is “trezor.io”. The company later confirmed that the email addresses of the users who received the phishing came from a database of people subscribed to the mailchimp newsletter.
In the email that the fraudsters sent to Trezor customers, one could read:
We regret to inform you that Trezor has experienced a security incident involving data belonging to 106,856 of our customers and that the wallet associated with your email address is among those affected by the breach.
The scammers offered users a solution to the problem. They ordered them to download the latest Trezor Suite in order to set a new seed phrase on their hardware wallet. The email also includes a “Download latest version” button that directs users to a phishing page. After entering the phrase seed, it goes straight into the hands of hackers.
Reports also suggest that the scammers behind the attack downloaded the source code of the original Trezor Suite (since it is open-source) and created their own modified fake app that looks identical to the legitimate one. The fake software, ironically, also had a banner at the top of the screen that warned users of phishing attacks.
Confirmation from Trezor
In its statement, Trezor revealed that the phishing attack was carried out by a “person inside” MailChimp.
The company also warned that it would not communicate through the newsletter until the situation was resolved and urged its users not to open any emails that appear to have come from it until further notice.