A new campaign targeting Trezor hardware wallet users is in the wild, where hackers are mailing them with fake breach notifications and asking them to download a fake Trezor app.
The motive of this campaign is to steal the Trezor wallet recovery phrase of the users and eventually steal their cryptocurrency balances. Trezor later confirmed that their mailing list was hacked at the end of MailChimp, their mailbox partner. Thus, users are advised to be vigilant about this campaign.
Phishing Campaign Targeting Trezor Users
Trezor is one of the best and most reliable hardware wallets. It lets you store your cryptocurrency in an offline mode, rather than on your internet-connected PC or in some cloud platform. Since it’s safer, people may feel relaxed having their stuff stored in it.
But there’s a campaign targeting them too, with a fake data breach notification spread through a stolen mailing list from MailChimp, Trezor’s emailing partner. Trezor today confirmed that their users’ mailing list was compromised by MailChimp “insider” targeting cryptocurrency companies.
We are investigating a potential data breach of an opt-in newsletter hosted on MailChimp.
A scam email warning of a data breach is circulating. Do not open any email originating from [email protected], it is a phishing domain.
— Trezor (@Trezor) April 3, 2022
This led the hackers to send phishing emails to Trezor users, citing a fake data breach incident and asking users to download and login into the latest Trezor suite app. And when unsuspecting users download and install the fake Trezor app they set, it asks them to log in and set a new PIN to secure their wallets.
@Trezor WARNING: Elaborate Phishing attack.
This morning I received this message to BOTH my email addresses. On the surface it looks like a genuine message but I noticed it came from https://t.co/6T8nY84R6A and as such deleted it immediately. You may want to warn everyone. pic.twitter.com/BQSB2uV1JW
— Life in DeFi (@lifeindefi) April 3, 2022
This process involves entering the 12-14 word recovery phrase of their Trezor wallet, which is transported to the hacker’s C2. This is then used for stealing the users’ cryptocurrency from compromised wallets easily, and remotely.
Hackers are seen downloading the fake Trezor suite app from a domain called a suite.xn--trzor-o51b[.]com, which was tuned to suite.trezor.com by hackers using accented or Cyrillic characters. Other similar domains of this campaign include;
http://trezorwallet[.]org/ trezor[.]us http://suite.trezoriovpjcahpzkrewelclulmszwbqpzmzgub37gbcjlvluxtruqad[.]onion/ (Tor site)
The original domain of Trezor is Trezor.io, and anything that prompts you to download an app from unknown sources is a malicious one. So beware of the campaign, and avoid entering your recovery phrases in unknown apps or websites.