Trezor Fake wallet scam!

[dkbit98]

I remember few years ago people reported some fake Trezor One hardware wallets, and many legit companies cloned and forked Trezor because of their Open Source code.
Now there are new reports of Trezor Model T fake devices that are used to scam people and steal coins from them, and this was confirmed by well known company Kaspersky.

Attackers waited patiently for owner to deposit larg enough amount of coins before they stole them from him.
From outside this fake Trezor T wallet looks identical like original Trezor device, it was ordered from popular website and it had holographic sticker on original box.
First strange things was asking to update latest firmware version 2.0.4 that was not available on official Trezor github.

Things look different when you open it and check the board, there are traces of soldering and  microcontroller STM32F429 fully was used instead of original model STM32F427, and it had fully deactivated flash-memory read-out protection.
Image below is showing original device on left sight, and fake device is on the right side:


Source Article: https://www.kaspersky.com/blog/fake-trezor-hardware-crypto-wallet/48155/

Bootloader and wallet firmware had three modifications, first to bypass checking that device is genuine, second change was making owner use seed phrase previously generated by scammers, and third change was making attackers easy to crack password.

How to prevent attacks like this?
- This is textbook example of supply-chain attack, that is why it's very important to buy hardware wallets only from official website or resellers.


You can also read one of my old topics that explains most Attack vectors for Hardware Wallets:
https://bitcointalk.org/index.php?topic=5321850

[1714802421]

1714802421

[Charles-Tim]

How to prevent attacks like this?
- This is textbook example of supply-chain attack, that is why it's very important to buy hardware wallets only from official website or resellers.

To buy from authorized official resellers. Like in my country, there are few resellers, but no single authorized official reseller of Trezor wallets. If I want to get Trezor, it will be from official reseller.

If someone read everything on the links below, the person will be able to differentiate an original Trezor from a fake one.

https://trezor.io/learn/a/authenticate-model-one
https://trezor.io/learn/a/authenticate-model-t

A fake Trezor can not copy the original Trezor 100% and there are some things to follow like these:

All Trezor devices are distributed without firmware installed - you will need to install it during setup. This setup process will check if firmware is already installed on the device. If firmware is detected then the device should not be used.

The bootloader verifies the firmware signature each time you connect your Trezor to a computer. Trezor Suite will only accept the device if the installed firmware is correctly signed by SatoshiLabs. If unofficial firmware has been installed, your device will flash a warning sign on its screen upon being connected to a computer.

[m2017]

First, I have not found information on how this fake Trezor fell into the hands of the author of this article. A story about this could well complement the article (and satisfy my curiosity ).

Secondly, creating such a fake device is not an easy task for most scammers, requiring certain skills and knowledge. That is, the creation of such fakes can't be put on the assembly line (just don’t tell chinese manufacturers about it ), which means that most buyers are unlikely to run into this. The guys who implemented this idea with a fake model T were hunting for big fish and among all the buyers of hardware wallets still need to find one. People can buy HW wallet to store both 0.1BTC and 10BTC. It is impossible to understand how much bitcoin will be deposited into the wallet. That is, attackers will need additional information about a potential victim in order to distinguish it from small fish. This is where the moment about the confidentiality of personal data floats, but this is a completely different topic for discussion.

[Pmalek]

To buy from authorized official resellers. Like in my country, there are few resellers, but no single authorized official reseller of Trezor wallets. If I want to get Trezor, it will be from official reseller.

Always buy from the official shop if you can. If not, use an official reseller linked on Trezor's website. Never trust the information and promises online shops post on their websites. The Trezor resellers network can be found here: https://trezor.io/resellers
If the site claiming to be an official partner is not on that list, don't buy from them.

If someone read everything on the links below, the person will be able to differentiate an original Trezor from a fake one.

https://trezor.io/learn/a/authenticate-model-one
https://trezor.io/learn/a/authenticate-model-t

A fake Trezor can not copy the original Trezor 100% and there are some things to follow like these:

All Trezor devices are distributed without firmware installed - you will need to install it during setup. This setup process will check if firmware is already installed on the device. If firmware is detected then the device should not be used.

The bootloader verifies the firmware signature each time you connect your Trezor to a computer. Trezor Suite will only accept the device if the installed firmware is correctly signed by SatoshiLabs. If unofficial firmware has been installed, your device will flash a warning sign on its screen upon being connected to a computer.

The problem here is that if a user is tricked into buying a fake device, they obviously don't know much about the info you quoted. If you can trick them to purchase a fake Trezor, you can most probably also trick them into install an unofficial firmware and use a phishing app, instead of the real Trezor Suite. You are either careful and can spot these things or you don't. A fake device would be shipped with accompanying documentation that instructs the victim about what software and firmware to download. And it wouldn't be the genuine ones.

[NotATether]

Incredible. How were you able to detect the differences and tampering in the micro-components inside the hardware wallet?

[Charles-Tim]

Incredible. How were you able to detect the differences and tampering in the micro-components inside the hardware wallet?

You will see the link under the images on the OP: https://www.kaspersky.com/blog/fake-trezor-hardware-crypto-wallet/48155/

[dkbit98]

Incredible. How were you able to detect the differences and tampering in the micro-components inside the hardware wallet?

It was not me, it was Kaspersky you know, one of the biggest antivirus security company... that makes me think new Trezor fake device scam is probably coming from Russia.
Trezor is still not shipping in that region of the world and scammers used that situation to create new cloned devices.
Components inside are easy to differentiate even for amateurs like us, just read the labels.

You will see the link under the images on the OP

Maybe he thinks I am mister Kaspersky 

[rby]

Source Article: https://www.kaspersky.com/blog/fake-trezor-hardware-crypto-wallet/48155/

Looking at the two images, I can clearly spot out the difference between the original and fake. The image by the right has a spider MCU (microcontroller unit). This kind of MCU can only be gotten from the manufacturing company and no other. I do not understand why the signal cables of the fake was covered.
The difference can only be spotted when the hardware is opened and in most cases no customer opens their hardware wallet. The best is to buy directly from the manufacturers.

The guys who implemented this idea with a fake model T were hunting for big fish and among all the buyers of hardware wallets still need to find one. People can buy HW wallet to store both 0.1BTC and 10BTC. It is impossible to understand how much bitcoin will be deposited into the wallet. That is, attackers will need additional information about a potential victim in order to distinguish it from small fish.

The filtering of the victims is not necessary and would need a strong detective to achieve this. They can simply target area where bitcoin activities is at high rate and target their promotion there. However, they lose nothing if they got a victim who will save 0.1BTC because the fake wallet was also bought and not given free.