Those who manage their crypto assets with a hardware wallet from Trezor are currently called upon to exercise particular caution. Trezor reports phishing emails that originate from official addresses.
Attention Phishing: Trezor, one of the most important manufacturers of hardware wallets, is sounding the alarm via Twitter. According to this, phishing emails are currently circulating that are sent from official Trezor accounts. The reason is an insider hack at the newsletter provider MailChimp, through which Trezor apparently handles at least parts of its customer communication. Emails from Trezor should not be opened under any circumstances at the moment, the report continues. They are trying to find out how many email addresses are affected by phishing attacks.
No information on the situation has yet been disseminated by MailChimp itself via Twitter and website. Tresor went public with the warning at noon on Sunday and later reported that it had been able to take the Trezor.us and Suite.xn--trzoro51b.com domains offline. Another tweet explicitly warns against emails from the sender firstname.lastname@example.org. In parallel, Trezor announces that it will not communicate via newsletter for the time being until the matter is resolved. Thus, for the time being, Trezor’s Twitter account remains the fastest and most reliable channel to find out how the situation is developing.
In phishing attacks, attackers use deceptive-looking emails to try to get recipients to share confidential information or even open malicious attachments. In Trezor’s case, the attack is likely to target the recovery seeds that can be used to replicate a Trezor hardware wallet elsewhere. These recovery seeds are actually intended to be able to respond in the event of a defective device. If they fall into unauthorized hands, access to one’s own hardware wallet quickly becomes impossible.
Is Trezor careless with customer data?
The incident at Trezor and MailChimp is reminiscent of the data leak at Ledger. The French manufacturer of hardware wallets and direct competitor to Trezor had to admit to a data leak in 2020, which was followed by phishing attacks on a large scale. It only gradually became known that Ledger lost far more than 1 million email addresses at the time. In the current warning from Trezor, the blame is being sought from MailChimp. According to Trezor, other companies that operate in the crypto industry and rely on MailChimp’s services have also been attacked by the insider at MailChimp.
Bottom line: Trezor suffers loss of trust – customers need to be careful
A back-and-forth on the question of guilt is of only secondary interest to customers – the fact is: at Trezor, security systems did not work, at least at times. Phishing emails from real email addresses to real newsletter subscribers is a potentially catastrophic event. So please watch out if you call a Trezor hardware wallet your own and have just received emails related to it. And in general, recovery seeds and other passwords remain with you only, preferably written down on paper or engraved on a metal plate. This is the only way to guarantee the highest possible security for hardware wallets.
Best place to buy Bitcoin: