Fake Trezor data breach emails used to steal cryptocurrency wallets

A compromised Trezor hardware wallet mailing list was used to send fake data breach notifications to steal cryptocurrency wallets and the assets stored therein.

Trezor is a cryptocurrency hardware wallet that allows you to store your crypto assets offline, rather than using cloud-based wallets or wallets stored on your PC which are more vulnerable to theft.

When setting up a new Trezor, a 12-24 word recovery seed will be displayed, allowing owners to recover their wallet if their device is stolen or lost.

However, anyone with knowledge of this recovery seed can access the wallet and its stored cryptocurrencies, making it vital to store the recovery seed in a safe place.

Starting today, owners of Trezor hardware wallets started receiving data breach notifications tricking recipients into downloading fake Trezor Suite software that allegedly steals their recovery seeds.

Trezor confirmed on Twitter that these emails were a phishing attack sent through one of their opt-in newsletters hosted on MailChimp.

Trezor later said that MailChimp had confirmed that its service had been compromised by an “insider” targeting cryptocurrency companies.

Tweet from Trezor

BleepingComputer has contacted MailChimp to inquire about this compromise but has not yet received a response.

A Closer Look at the Trezor Attack

The phishing attack began when the owners of the Trezor hardware wallet received fake security incident emails claiming to be a data breach notification.

“We regret to inform you that Trezor experienced a security incident involving data belonging to 106,856 of our customers, and the wallet associated with your email address [email here] is among those affected by the breach,” reads a fake Trezor data breach phishing email.

Fake Trezor Data Breach Notification
Fake Trezor Data Breach Notification
Source: Twitter

These fake data breach emails indicate that the company does not know the extent of the breach and that owners should download the latest Trezor suite to set up a new PIN on their hardware wallet.

The email includes a “Download Latest Version” button that takes the recipient to a phishing site that appears in the browser as suite.trezor.com.

However, the website is a domain name using Punycode characters which allow attackers to impersonate the trezor.com domain using accented or Cyrillic characters, the actual domain name being suite.xn--trzor-o51b .[.]com.

It should be noted that the legitimate Trezor website is trezor.io.

This fake site prompts users to download the Trezor Suite application as shown below.

Phishing site pushing fake Trezor sequel
Phishing site pushing fake Trezor sequel
Source: BleepingComputer

In addition to suite.xn--trzor-o51b[.]com, threat actors have also created phishing sites at the URLs:

http://trezorwallet[.]org/
trezor[.]us
http://suite.trezoriovpjcahpzkrewelclulmszwbqpzmzgub37gbcjlvluxtruqad[.]onion/ (Tor site)

When a visitor downloads the desktop application, he downloads a fake Trezor Suite application from the phishing site named “Trezor-Suite-22.4.0-win-x64.exe”.

As you can see below, the legit Trezor Suite app is signed using a certificate for “Satoshi Labs, sro” and the fake version of Windows [VirusTotal] is signed by a certificate from “Neodym Oy” (right).

Comparison of digital signatures for fake and legit Trezor Suite downloads
Comparison of digital signatures for fake and legit Trezor Suite downloads
Source: BleepingComputer

As the Trezor suite is open source, the threat actors have downloaded the source code and created their own modified application which looks identical to the original and legit application.

Ironically, this fake sequel even includes Trezor’s warning banner about phishing attacks at the top of the app’s screen.

Fake Trezor Suite software
Fake Trezor Suite software
Source: BleepingComputer

However, once Trezor owners connect their device to the fake Trezor Suite app, they will be prompted to enter their 12-24 word recovery phrase, which will be sent back to the threat actors.

Now that threat actors have your recovery phrase, they can use it to import the recovery phrase into their own wallets and steal victims’ cryptocurrency assets.

A nearly identical attack targeted owners of Ledger hardware crypto wallets wanting phishing attacks leading to fake Ledger Live software.

What should Trezor owners do?

First, never enter your recovery seed into an app or website. The seed should only be entered directly on the Trezor device you are trying to recover.

As it is easy to create similar domains that pretend to be legitimate sites, when it comes to cryptocurrency and financial assets, always type the domain you are trying to reach into your browser rather than rely on links in emails.

This way you know you are going to the legitimate site rather than a site that is impersonating it.

Also, the official Trezor website is at trezor.io, so other domains, such as trezor.com, are not tied to the crypto hardware wallet company.

Finally, ignore all emails claiming to be from Trezor stating that you have been affected by a recent data breach. If you are concerned, rather than clicking on the link in those emails, contact Trezor directly for more information.

Comments are closed.