A number of Trezor customers have received fake communications regarding their Trezor hardware wallets. The attackers appear to be using data from a competitor to find customers who also own a Trezor. If you have received a message as pictured below or of similar nature, asking you to verify something and follow a link, simply ignore it or report it using the Trezor support form.
Trezor will never ask for your recovery seed, and will never communicate with you by text regarding your device. Do not trust anyone asking for your recovery seed; providing it will compromise your account and allow anyone to take your coins.
The timing and scope of this phishing scheme suggests it is a second wave of attacks resulting from a breach of our competitor’s e-commerce database. Malicious actors who acquired the data from that attack are blindly targeting Ledger customers whom they presume may also own a Trezor wallet. If you happen to own devices from different manufacturers, please be very cautious when opening any communication and report any message that appears to be an attempt at phishing for data, such as a request for seed words.
Trezor customer data has not been leaked. We continue to operate under a policy where we anonymize all customer data from e-commerce within 90 days, once it is no longer needed to complete the order, and will even remove customer data manually if requested before that. Any data leak that is currently affecting customers is likely to be a result of a competitor’s breach which took place this summer. Please, rest assured that the attackers do not appear to know if the people they have targeted do in fact own a Trezor. If you are targeted, simply report the message and do not interact with the sender.
The attackers may have bought competitors’ customer data from a dark market, where breached data is often sold, allowing them to send malicious links to any contacts listed in that data. The scammer is sending links to a fake version of the Trezor website, a replica of wallet.trezor.io, which has been modified to ask visitors for their recovery seed, completely exposing their coins. Once the user enters their seed on the fake webpage, the attacker simply replicates their wallet and sends the funds to an address they own.
The page created by the attacker does not exist in the real Trezor wallet. You will not be asked to enter your seed anywhere other than on your Trezor device. Learn how to look after your recovery seed, it is the most crucial part of protecting your bitcoin.
Attacks like this have been seen before, and they will continue to rise in number, as long as Bitcoin’s price remains high enough to make it worth the effort. Awareness is key, and there are many resources to share with others to inform them about the dangers. There is, unfortunately, no way to prevent these types of attacks from taking place; this particular attack is related to demographic data of hardware wallet users in general, and data breaches of data from advertisers or other cryptocurrency vendors could result in similar mass attacks to the ones we have seen recently.
The basics of keeping cryptocurrency safe are quite easy to grasp:
- Never digitize your recovery seed or share it with anyone, not even Trezor employees.
- Perform every important action using your hardware wallet, including recovery seeds.
- Double-check the URL and SSL certificates when you access any site where you manage funds.
Security is enhanced through following general good practice for online accounts and e-commerce:
- Use throwaway email addresses wherever possible.
- Do not provide personal data without a good reason.
- Use a pick up point for physical delivery when possible.
As long as you follow these guidelines, you should never be exposed to a data leak in the first place, but if you are you will be aware of how to avoid being compromised: do not give away your seed and always confirm things on your device, and no one will ever gain access to your funds.
Unfortunately, a lapse in attention is enough to cause catastrophic losses, even if you’re experienced. Security should be made into an uncompromising habit: for example, you must always check the address shown on your Trezor is correct, even if it’s the tenth transaction you have sent in a row. If you encounter anything suspicious, don’t risk it, contact us directly using our support form and we’ll help assess any potential threats.