Trezor users are being targeted in a multi-channel phishing campaign that attempts to trick them into disclosing their recovery seeds, which will allow their wallets to be stolen. Trezor provides hardware-based wallets for cryptocurrency, which are a more secure way of storing cryptocurrency than software-based wallets; however, that does not mean cryptocurrency cannot be stolen.
Users are provided with a 12-24-character seed or password when they set up their wallets so that the wallet can be restored if the device is lost, stolen, or damaged. That process naturally means Trezor wallets can be restored to any device, so it is vital that the recovery seed is protected. If an unauthorized individual has access to that seed, the wallet can be restored to any device and the cryptocurrency in that wallet can be stolen. It should come as no surprise that Trezor customers are being targeted in a phishing campaign as Trezor wallets can be extremely valuable.
Trezor has recently confirmed that a large-scale campaign is being conducted on its customers. The first stage of the attack involves a phone call, text message, or email. A variety of lures are used in these messages such as a notification that suspicious activity has been identified in the user’s Trezor account. That will naturally be of great concern to customers, and the attackers hope they will be sufficiently concerned to take immediate action to secure their wallets. Users are told, via call, SMS message, or email that they need to visit a website in order to secure their wallet. On the website, the user is told they must disclose their recovery seed as part of the process to secure their wallet.
Other lures include a message from Trezor Suite that there has been a security breach, rendering the customer’s assets vulnerable. If the link is clicked, the user is directed to a Trezor-branded website and is informed that “At this moment, it is technically impossible to accurately assess the scope of the data breach. Due to these circumstances, if you have recently used your Trezor Suite, we must assume that all of your assets are currently at risk.” They are then guided through a process to secure their assets. Completing that process, which involves disclosing the recovery seed, will ensure any assets in the wallet are permanently lost. Another advised customers that they need to upgrade their wallets due to the failure to complete the new Ethereum Merge.
Trezor has confirmed that it has investigated and failed to find any evidence of a data breach. It is therefore unclear how customer data has been obtained. Trezor has confirmed, via Twitter, that the company is aware that its customers are being targeted and said the company will never contact customers via the telephone or SMS message.