A recently identified cyberattack has seen a compromised Trezor brand hardware wallet mailing list employed to issue false data breach notices in order to steal crypto wallets and the financial assets they hold.

Trezor is type of hardware crypto wallet that enables users to store their cryptocurrency assets offline, instead of employing other commonly used options like cloud-based wallets or those stored on a personal PC, which are deemed more vulnerable to possible theft.

When establishing a new Trezor, a recovery seed that has between 12 and 24 characters is displayed that empowers owners with the ability recover their wallets in the unfortunate event that their device is either lost or stolen.

Unfortunately, any individual who has knowledge of this recovery seed can effectively obtain access to the crypto wallet and the assets it stores. As a result, for security reasons, it is crucial that the recovery seed is always stored in a safe place.

Fake data breach notices issued

In the recent cybercriminal campaign, owners of Trezor hardware crypto wallets started receiving data breach notices. The fake notifications prompted their recipients to download bogus Trezor Suite software with the power to steal their personal recovery seeds.

In a recent post on the social media platform Twitter, Trezor confirmed that these malicious emails were a dedicated phishing attack sent via one of its own opt-in newsletters that MailChimp hosts. Later, Trezor commented that MailChimp confirmed that its service was unfortunately compromised by an inside operator who was targeting companies in the crypto currency sector.

A deep dive into the Trezor attack

The recent phishing attack began with the Trezor hardware crypto wallet owners receiving false security incident messages claiming to be an authentic data breach notification.

The fake message read:

“We regret to inform you that Trezor has experienced a security incident involving data belonging to 106,856 of our customers, and that the wallet associated with your e-email address [email here] is within those affected by the breach.”

These fake emails state that the enterprise does not know the full extent of the data breach, and that wallet owners should move to download the most up to date Trezor Suite to establish a brand-new PIN for their crypto wallet.

The malicious message includes a button with the words ‘Download Latest Version’ displayed on it that directs the recipient to a dedicated phishing website that then displays in the browser under the web address suite.trezor.com.

The phishing site is actually a domain name that uses Punycode characters. This enables the threat operators to effectively impersonate the domain trezor.com using Cyrillic or accented characters. It is worth noting that the authentic Trezor domain is trezor.io.

This bogus site then prompts the users to download the fake Trezor Suite application. When Trezor wallet owners connect their hardware the fake app, it prompts them to input their recovery phrase. As soon as they enter the 12-to-24-character code, it is summarily sent to the threat operators.

With the recovery phrase in hand, the cybercriminals can then steal crypto assets from their victims.

Help defend against phishing attacks

Galaxkey’s email within the platform filters out the dangerous attempts by malicious actors to help prevent any damages, and give you peace of mind. You can contact us to arrange a free 14-day trial, get a demonstration or simply find out more.