Trezor users are being attacked via malicious emails and SMS. Be careful!

[witcher_sense]

Trezor team has recently published an article in which they are informing their customers about phishing attacks on crypto users. They claim that due to the recent leaks of customers' data (Ledger, for example), scammers have obtained sensitive information about people who bought hardware wallets. Given that millions of emails, thousands of phone numbers, names, postal addresses were stolen, scammers are now using this information to attack not only Ledger customers, but also customers of other hardware manufacturers.

Example of a fake message:


Some tips from Trezor team to avoid losing your funds:

The basics of keeping cryptocurrency safe are quite easy to grasp:

    Never digitize your recovery seed or share it with anyone, not even Trezor employees.
    Perform every important action using your hardware wallet, including recovery seeds.
    Double-check the URL and SSL certificates when you access any site where you manage funds.

Security is enhanced through following general good practice for online accounts and e-commerce:

    Use throwaway email addresses wherever possible.
    Do not provide personal data without a good reason.
    Use a pick up point for physical delivery when possible.

Links:

https://blog.trezor.io/phishing-attacks-are-targeting-trezor-users-4edac4cb96fa
https://www.securities.io/digital-asset-wallet-ledger-suffers-data-breach-affecting-1m-clients/
[GUIDE]Use this for identifying Scam/Phishing Websites & Exchanges in Crypto by GreatArkansas
Collection of comprehensive guides on identify and avoid scam projects by tbct_mt2
https://medium.com/ledger-on-security-and-blockchain/ledger-101-part-3-best-practices-when-using-a-hardware-wallet-198b60df2681
https://www.coindesk.com/phishing-attack-ledger-cryptocurrency-wallet
[GUIDE] How to buy a Hardware Wallet the right way by dkbit98

[1713886940]

1713886940

[1713886940]

1713886940

[1713886940]

1713886940

[1713886940]

1713886940

[1713886940]

1713886940

[Eco_111]

Sorry I have not used hardware wallet before but still I'm sure that a hardware wallet will never request or even need any verifications or whatsoever, this shows that we still have foolish people around in this world today, its still a fair pass if the wallet is a Centralized wallet that requires login and passwords, why would hardware wallets nee KYC, why would trust wallet need KYC, why would any open source wallet need verifications? People are damn too clowny this days 😂😂😂😂

[akirasendo17]

I think the customers should be aware that they should ignore an email coming from an unknown sender, they should only communicate on the legitimate email, at the same time maybe trezor had accidentally leaked this information, or if it's true they have been a hack, so as I was saying if you are not sure that the email comes from trezor legit email account ignore it, they might inject something in your computer once you click a certain link,

[DdmrDdmr]

The scammers are likely playing to the idea that 1 in 10 Ledger customers (wild guess) also has a Trezor hardware wallet. Most, if not all, of the Trezor phishing attempt will have previously received at least one related to Ledger (the origin of the breach), so due to both factors, the likeliness of success is pretty slim. Still, someone is bound to fall for it, and that is what they are counting on.

Interesting to read that, allegedly, according to the first link included in the OP, Trezor anonymizes e-commerce customer data within 90 days. There are still things that can go wrong there in the meantime, and backups are also likely to make the data more persistent (depending on their backup policy), but still.

[witcher_sense]

I think the customers should be aware that they should ignore an email coming from an unknown sender, they should only communicate on the legitimate email, at the same time maybe trezor had accidentally leaked this information, or if it's true they have been a hack, so as I was saying if you are not sure that the email comes from trezor legit email account ignore it, they might inject something in your computer once you click a certain link,

That is why it is always better to use disposable emails when ordering a hardware wallet or contacting hardware wallet support. Even if an email you used for orders became known to hackers and scammers, they couldn't make use of it since, by that time, it would have already been deleted. The same strategy works perfectly for contacting support. You just create a fresh email address for a specific purpose, which is to share it with support, and once you received a reply, you can delete it forever. Not only does it help to avoid being scammed, but also it results in less spam in your inbox.

Interesting to read that, allegedly, according to the first link included in the OP, Trezor anonymizes e-commerce customer data within 90 days. There are still things that can go wrong there in the meantime, and backups are also likely to make the data more persistent (depending on their backup policy), but still.

It was mentioned in the article that you don't have to wait a month and a half for your data to be deleted, you can always request for manual removal, which I think is a better solution for those valuing their privacy.

Either way, it is good to know they don't keep your data forever.

Sorry I have not used hardware wallet before

You should try, it feels great!

[Kong Hey Pakboy]

I think the customers should be aware that they should ignore an email coming from an unknown sender, they should only communicate on the legitimate email, at the same time maybe trezor had accidentally leaked this information, or if it's true they have been a hack, so as I was saying if you are not sure that the email comes from trezor legit email account ignore it, they might inject something in your computer once you click a certain link,

I didn't know that hardware wallets such as Trezor and Ledger wallets can be attacked by hackers using a phishing site, but I think it really does because there is no perfect technology when it comes to security.

Hardware wallet users should definitely be more aware about phishing sites and any unknown sender to avoid getting hacked or steal information and funds from you. But it is sometimes difficult to know if the message or email you have received is legitimate or not because they sometimes use the same email account name and construction message, that is why you should first make a good research about it in order to protect your funds and information.

[Findingnemo]

I think the customers should be aware that they should ignore an email coming from an unknown sender, they should only communicate on the legitimate email, at the same time maybe trezor had accidentally leaked this information, or if it's true they have been a hack, so as I was saying if you are not sure that the email comes from trezor legit email account ignore it, they might inject something in your computer once you click a certain link,

I didn't know that hardware wallets such as Trezor and Ledger wallets can be attacked by hackers using a phishing site, but I think it really does because there is no perfect technology when it comes to security.

Hardware wallet users should definitely be more aware about phishing sites and any unknown sender to avoid getting hacked or steal information and funds from you. But it is sometimes difficult to know if the message or email you have received is legitimate or not because they sometimes use the same email account name and construction message, that is why you should first make a good research about it in order to protect your funds and information.

Any highly secured device can be hacked with phishing attack or social engineering tactics so every crypto investor should take care of what link they are clicking from the device where they stored their sensitive personal and crypto related information.

I don't think any legit hardware provider is going to ask you to authenticate for no reasons so if you are receiving such emails then just ignore it and never download even pdf files or images attacked to it which also can be injected with malwares.

[witcher_sense]

Any highly secured device can be hacked with phishing attack or social engineering tactics so every crypto investor should take care of what link they are clicking from the device where they stored their sensitive personal and crypto related information.

I don't think any legit hardware provider is going to ask you to authenticate for no reasons so if you are receiving such emails then just ignore it and never download even pdf files or images attacked to it which also can be injected with malwares.

Hardware wallets are actually designed to protect users from phishing attacks. These are offline devices, never connect to the Internet, and can be used with air-gapped computers just for signing your transactions. In the case of hardware wallets, your seed phrase, private keys, passphrases are never exposed, so they cannot be intercepted by a potential malicious actor.

However, devices like Trezor hardware wallet and its forks like Keepkey are vulnerable to physical attacks. An attacker using some special tools can extract a seed phrase and consequently spend your funds. You can read more about these vulnerabilities here:

https://donjon.ledger.com/Unfixable-Key-Extraction-Attack-on-Trezor/
https://blog.trezor.io/our-response-to-the-read-protection-downgrade-attack-28d23f8949c6
https://blog.trezor.io/our-response-to-ledgers-mitbitcoinexpo-findings-194f1b0a97d4

A strong passphrase (so-called 25th word) can protect even from physical attacks. That is why it is always recommended to use a passphrase to mitigate risks.

Here is a great video from A.Antonopoulos on how to properly generate, store and use your passphrase:

Crypto Security: Passwords and Authentication

[ranochigo]

Hardware wallets are actually designed to protect users from phishing attacks. These are offline devices, never connect to the Internet, and can be used with air-gapped computers just for signing your transactions. In the case of hardware wallets, your seed phrase, private keys, passphrases are never exposed, so they cannot be intercepted by a potential malicious actor.

I think most hardware wallets needs a connection using a USB of some sorts to an online computer to generate and sign transactions, there are exceptions of course. They are designed specifically so that the security will not be compromised even if the computer itself has malware, so it makes airgapped computers redundant when used together.

Generally, phishing attacks are social engineering attack. Hardware wallets does protect against those non-physical attacks but it does nothing if the weakest link (which is the user) decides to leak their own seeds voluntarily after seeing and believing a seemingly [authentic] message from Trezor or other HW wallets. I wouldn't describe HW wallets as something that protects the users against phishing attack. Quite the contrary, phishing attacks are more believable if it is more personalised which is in the case of the database of Ledger being leaked. Nothing would be able to completely eliminate social engineering attacks as a threat.