A new campaign targeting Trezor hardware wallet users is in the wild, where hackers are mailing them with fake breach notifications and asking them to download a fake Trezor app.

The motive of this campaign is to steal the Trezor wallet recovery phrase of the users and eventually steal their cryptocurrency balances. Trezor later confirmed that their mailing list was hacked at the end of MailChimp, their mailbox partner. Thus, users are advised to be vigilant about this campaign.

Phishing Campaign Targeting Trezor Users

Trezor is one of the best and most reliable hardware wallets. It lets you store your cryptocurrency in an offline mode, rather than on your internet-connected PC or in some cloud platform. Since it’s safer, people may feel relaxed having their stuff stored in it.

But there’s a campaign targeting them too, with a fake data breach notification spread through a stolen mailing list from MailChimp, Trezor’s emailing partner. Trezor today confirmed that their users’ mailing list was compromised by MailChimp “insider” targeting cryptocurrency companies.

This led the hackers to send phishing emails to Trezor users, citing a fake data breach incident and asking users to download and login into the latest Trezor suite app. And when unsuspecting users download and install the fake Trezor app they set, it asks them to log in and set a new PIN to secure their wallets.

This process involves entering the 12-14 word recovery phrase of their Trezor wallet, which is transported to the hacker’s C2. This is then used for stealing the users’ cryptocurrency from compromised wallets easily, and remotely.

Hackers are seen downloading the fake Trezor suite app from a domain called a suite.xn--trzor-o51b[.]com, which was tuned to suite.trezor.com by hackers using accented or Cyrillic characters. Other similar domains of this campaign include;

http://suite.trezoriovpjcahpzkrewelclulmszwbqpzmzgub37gbcjlvluxtruqad[.]onion/ (Tor site)

The original domain of Trezor is Trezor.io, and anything that prompts you to download an app from unknown sources is a malicious one. So beware of the campaign, and avoid entering your recovery phrases in unknown apps or websites.


Please enter your comment!
Please enter your name here