An ongoing phishing campaign is pretending to be Trezor data breach notifications attempting to steal a target’s cryptocurrency wallet and its assets.
Trezor is a hardware cryptocurrency wallet where users can store their cryptocurrency offline rather than in cloud-based wallets or wallets stored on their devices. Using a hardware wallet like Trezor adds protection from malware and compromised devices, as the wallet is not meant to be connected to your PC.
When setting up a new Trezor wallet, users are given a 12 or 24-word recovery seed that can be used to recover a wallet if a device is stolen, lost, or malfunctions.
However, anyone who gains access to this seed can also restore the wallet on their own devices, making them juicy targets for threat actors.
Massive phishing campaign targets Trezor users
Starting on February 27th, Trezor customers began receiving SMS and email phishing messages stating that Trezor had suffered a data breach. These messages prompt the target to visit a listed website to secure their device.
“Trezor Suite has recently endured a security breach, assume all your assets are vulnerable. Please follow the security procedure to secure your assets: [phishing-site],” reads the fake Trezor data breach warning messages.
BleepingComputer received one of these phishing emails. A security researcher known as Mich has also been receiving and reporting the numerous SMS phishing texts they have received, as shown below.
Trezor phishing delivered via SMS
When visiting the listed domain, visitors will be shown a fake Trezor site that states, “Your assets might be at risk!” and then prompts you to start securing your wallet.
Landing page for Trezor phishing site
When users click the ‘Start’ button, they will ultimately be prompted to enter their recovery seed, which the threat actors will then steal.
Once a recovery seed is stolen, it is game over for the wallet owner, as the threat actors will likely quickly transfer any assets to another address under their control.
Therefore, it is vital to never share your wallet’s recovery passwords, seeds, or phrases with anyone else or enter them on any sites.
Trezor is aware of the phishing campaign and warned users to beware of phishing SMS and emails warning of a fake data breach. The company also states that they have not found any evidence of a recent data breach in its systems.
“Beware of the active phishing scam! The attackers contact the victims via phone call, SMS and/or email to say that there’s been a security breach or suspicious activity on their Trezor account,” tweeted Trezor.
“Please ignore these messages as they are not from Trezor.”
“We have not found any evidence of a recent database breach. We will never contact you via calls or SMS.”
While it is not known how the threat actors are targeting Trezor customers’ phone numbers and email addresses, it could be through a marketing list stolen in a MailChimp breach in March 2022.
MailChimp told BleepingComputer then that the threat actors stole data from 102 customers, with most in the cryptocurrency and finance sectors.
The threat actors soon used Trezor’s marketing list to send a massive wave of fake data breach notifications in April 2022, leading to a site hosting a fake Trezor Suite.
When installed, this Trezor Suite would prompt the user to enter their recovery seed, which was then transmitted back to the threat actors.
While the current phishing campaign is not using fake software, the threat actors are still attempting to steal your recovery seed. Therefore, as we said earlier, and it warrants repeating, never share your recovery seed with anyone or on any site.