Emails Purporting to be From Trezor Used For Stealing Bitcoin Wallets 

Emails Purporting to be From Trezor Used For Stealing Bitcoin Wallets 

A hacked Trezor hardware wallet mailing list was used to send out phony data breach notices to steal cryptocurrency wallets and their assets. Trezor is a hardware cryptocurrency wallet that lets keeping crypto assets offline instead of employing cloud-based or PC-based wallets, which are more prone to theft. 

A 12 to 24-word recovery seed will be presented when setting up a new Trezor, allowing owners to retrieve their wallets if their device is stolen or lost. On the other hand, anyone who knows the recovery seed can acquire access to the wallet and its stored cryptocurrency, making it critical to keep the recovery seed safe. 

Trezor hardware wallet customers have recently started getting data breach notices instructing them to download a bogus Trezor Suite program that steals their recovery seeds. Trezor stated on Twitter that the emails were phishing scams delivered through one of their MailChimp-hosted opt-in newsletters. 

According to Trezor, MailChimp admitted their service was infiltrated by an “insider” targeting bitcoin firms. The phishing attempt began when Trezor hardware wallet owners received fraudulent security incident emails purporting to be a data breach notice. 

“We regret to inform you that Trezor has experienced a security incident involving data belonging to 106,856 of our customers, and that the wallet associated with your e-email address [email here] is within those affected by the breach.,” as stated in the fake Trezor data breach phishing email. 

According to these bogus data breach emails, the firm does not know the scope of the compromise, and users should download the newest Trezor Suite to set up a new PIN on their hardware wallet. The email has a ‘Download Latest Version’ button that directs the recipient to a phishing site known as in the browser. 

However, the website is a Punycode-encoded domain name that allows attackers to mimic the domain using accented or Cyrillic letters, with the actual domain name suite.xn--trzor-o51b[.]com. It should be noticed that is the official Trezor website. Users are prompted to download the Trezor Suite program on the phony website. 

In addition to the fake site, threat actors formed phishing sites at the following URLs: 

  • http://trezorwallet[.]org/trezor[.]us 
  • http://suite.trezoriovpjcahpzkrewelclulmszwbqpzmzgub37gbcjlvluxtruqad[.]onion/ (Tor site) 

When a visitor downloads the desktop program, it will also download a bogus Trezor Suite application called ‘Trezor-Suite-22.4.0-win-x64.exe’ from the phishing site. The authentic Trezor Suite program is signed with a “Satoshi Labs, s.r.o.” certificate, whereas the false Windows version [VirusTotal] is signed with a “Neodym Oy” certificate. 

The threat actors got the source code for the Trezor Suite, which is open source, and produced their own customized software that appears identical to the original, genuine application. Surprisingly, the fake suite contains Trezor’s phishing warning banner at the top of the application’s screen. 

When Trezor owners link their device to the bogus Trezor Suite app, they are prompted to input their 12- to 24-word recovery phrase, which is then delivered back to the threat actors. Once the threat actors obtain your recovery phrase, they can use it to import it into their wallets and steal the bitcoin assets of their victims. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.