An ongoing phishing campaign purports to be Trezor data breach notifications attempting to steal a target's cryptocurrency wallet and assets.
Trezor is a hardware cryptocurrency wallet where users can store their cryptocurrency offline instead of in cloud-based wallets or wallets stored on their devices. Using a hardware wallet like Trezor adds protection against malware and compromised devices, since the wallet is not designed to connect to your PC.
When setting up a new Trezor wallet, users receive a 12 or 24 word recovery seed that can be used to recover a wallet if a device is stolen, lost, or malfunctions.
However, anyone who gains access to this seed can also restore the wallet to their own devices, making them juicy targets for threat actors.
Mass Phishing Campaign Targeting Trezor Users
Starting February 27, Trezor customers began receiving phishing SMS and email messages stating that Trezor had suffered a data breach. These messages ask the target to visit a listed website to protect their device.
"Trezor Suite recently suffered a security breach, assume all your assets are vulnerable. Please follow the security procedure to protect your assets: [phishing-site]โ, reads the fake Trezor data breach warning messages.
BleepingComputer received one of these phishing emails. A security researcher known as Mich has also been receive and report the numerous phishing SMS text messages they have received, as shown below.
Fountain: Michigan
Upon visiting the listed domain, visitors will be shown a fake Trezor site stating: "Your assets could be at risk!" and then asks you to start securing your wallet.
Source: Urlscan
When users click the 'Start' button, they will eventually be asked to enter their recovery seed, which is then stolen by threat actors.
Once a recovery seed is stolen, it's game over for the wallet owner, as threat actors are likely to quickly transfer any assets to another address under their control.
Therefore, it is vital to never share your wallet recovery passwords, seeds or phrases with anyone else or enter them anywhere.
Trezor is aware of the phishing campaign and has warned users to beware of phishing SMS and emails warning of a fake data breach. The company also claims that they have not found any evidence of a recent data breach on their systems.
"Beware of active phishing scam! Attackers contact victims via phone calls, SMS, and/or emails to inform them that there has been a security breach or suspicious activity on their Trezor account." Trezor tweeted.
Please ignore these messages as they are not from Trezor.
"We have not found any evidence of a recent database breach. We will never contact you via calls or SMS."
While it is not known how threat actors target the phone numbers and email addresses of Trezor customers, it could be through a marketing list. stolen in a MailChimp breach in March 2022.
MailChimp told BleepingComputer that threat actors stole data from 102 customers, mostly in the cryptocurrency and financial sectors.
Threat actors soon used Trezor's marketing list to send out a massive wave of fake data breach notifications in April 2022, leading to a site hosting a fake Trezor Suite.
When installed, this Trezor suite prompted the user to enter their recovery seed, which was then passed on to threat actors.
While the current phishing campaign doesn't use fake software, threat actors still try to steal your recovery seed. So, as we said earlier, and it bears repeating, never share your recovery seed with anyone or anywhere.
