[WARNING] Recent warning from Trezor.

[satscraper]

Heads up to Trezor users.

Recent warning from Trezor:

Scammers have discovered the way to exploit the contact form to send fake emails that appear to come from their automatic ticketing support. Those emails are trying to force users into visiting fake sites, the aim being to capture their SEEDs. Trezor officials said their internal base that hold customers' data was not broken, but hackers managed to get relevant data "gathered from an unknown source".

[Charles-Tim]

After 3 hours the email was sent yesterday, the fake site stopped working. But when I woke up today, I saw the fake website working again.

I decided to try it on my laptop and it worked, but not working on my second mobile device. As it worked on two of my devices, I still conclude that it has not been contained, people should just be careful and avoid the scam instead.

This is one of the reasons I prefer wallet on airgapped devices, but this attack is easy to avoid.

[SFR10]

Trezor officials said their internal base that hold customers' data was not broken, but hackers managed to get relevant data "gathered from an unknown source".

Concerning the latter part, I believe part of it came from the exposed email addresses that happened as a result of the newsletter incident in the past ^{[similar to "what they responded" about another phishing attempt on June 28th]}, while other leaked data probably doesn't have anything to do with Trezor.

After 3 hours the email was sent yesterday, the fake site stopped working. But when I woke up today, I saw the fake website working again.

They probably managed to move it to a new hosting provider or they intentionally did something to make other users believe their fake site went down.
^{- I couldn't find the domain in question, but I hope you've reported them again.}

[rdluffy]

To be honest, would anyone who bought a hardwallet fall for a scam like that?
I assume that a user who buys a Trezor, for example, knows the minimum security recommendations to never reveal or write the seed to anyone

My two hardwallet purchases to date were without registration at Ledger and Trezor, so at least I know my e-mail wasn't leaked
What bothers me most about these leaks is the possibility that criminals will be able to find out who has crypto in real life and make them possible targets

[albon]

To be honest, would anyone who bought a hardwallet fall for a scam like that?
I assume that a user who buys a Trezor, for example, knows the minimum security recommendations to never reveal or write the seed to anyone

My two hardwallet purchases to date were without registration at Ledger and Trezor, so at least I know my e-mail wasn't leaked
What bothers me most about these leaks is the possibility that criminals will be able to find out who has crypto in real life and make them possible targets

Like a school exam, no matter how easy it is, you will still find many who fail. Many people have purchased cold wallets, but they are still hasty, and the message they receive may cause them panic and anxiety, so they click the link without thinking and may act recklessly without considering the consequences, because they believe they are dealing with an official domain. If they remember and apply security recommendations, they will avoid falling for such easy strategies that can be quickly detected.


I don’t think these data leaks would allow scammers to know exactly who owns cryptocurrencies. They have the users’ email addresses and will send phishing emails hoping that someone falls into the trap. This is basically random targeting.

[Zaguru12]

To be honest, would anyone who bought a hardwallet fall for a scam like that?
I assume that a user who buys a Trezor, for example, knows the minimum security recommendations to never reveal or write the seed to anyone

My two hardwallet purchases to date were without registration at Ledger and Trezor, so at least I know my e-mail wasn't leaked
What bothers me most about these leaks is the possibility that criminals will be able to find out who has crypto in real life and make them possible targets

Seriously I don’t get moved by attacks like this because it doesn’t necessarily mean that your wallet is in danger except if a naive person actually gives out information to the hacker leading to their wallet or click a phishing link, otherwise attacks like this are fruitless. The only time I get worried for emails leaked is when the service it’s self is closed source, with it been closed source you will not know what information from that wallet that the company must have extracted and what type of information the hackers get their hands on. Aside this you simply ignore the emails or even use throwaway email addresses when registering.

I don’t think these data leaks would allow scammers to know exactly who owns cryptocurrencies. They have the users’ email addresses and will send phishing emails hoping that someone falls into the trap. This is basically random targeting.

But they have a clue that this person bought an hardware wallet because this emails were emails used during the hardware wallet purchase registration and someone who doesn’t own a crypto wouldn’t go for an hardware wallet that’s there thought. But still it is random attack looking for who will fall victim

[Forsyth Jones]

To be honest, would anyone who bought a hardwallet fall for a scam like that?
I assume that a user who buys a Trezor, for example, knows the minimum security recommendations to never reveal or write the seed to anyone

My two hardwallet purchases to date were without registration at Ledger and Trezor, so at least I know my e-mail wasn't leaked
What bothers me most about these leaks is the possibility that criminals will be able to find out who has crypto in real life and make them possible targets

Don't doubt human ingenuity and some people's ability to outsmart others in this world. Unfortunately, it's still very easy to steal funds from hardware wallet owners through social engineering.

Many of these people are newcomers who have had little contact with Bitcoin, and when they really learn what self-custody is, they will migrate to more technically advanced devices such as Coldcard, passport, etc.

I myself have a Trezor model T and I'm proud of it, it's very easy to use and secure. Obviously it'll not be more secure than an air-gapped device, but to this day I've never heard of anyone who was robbed using hardware wallets and didn't expose the seed phrase online.

[crwth]

Thank you for sharing this it's quite helpful. Posing to look legitimate with an email scam is dangerous and we all should know that we shouldn't give the wallet backup for this.

I am thankful that i haven't received that because my email was leaked once with Ledger and not with Trezor.

[Charles-Tim]

My two hardwallet purchases to date were without registration at Ledger and Trezor, so at least I know my e-mail wasn't leaked

If you registered for newsletter on Trezor official website, you will get the scam message on email address that you used to register.

What bothers me most about these leaks is the possibility that criminals will be able to find out who has crypto in real life and make them possible targets

This only happened to Ledger hardware wallet uses? Ledger has proven to people how they are the worse hardware wallet.

I don’t think these data leaks would allow scammers to know exactly who owns cryptocurrencies. They have the users’ email addresses and will send phishing emails hoping that someone falls into the trap. This is basically random targeting.

The scammers only know the email I think.

[PrivacyG]

To be honest, would anyone who bought a hardwallet fall for a scam like that?
I assume that a user who buys a Trezor, for example, knows the minimum security recommendations to never reveal or write the seed to anyone

You are making the wrong assumption.  Newbies are always recommended Hardware Wallets because they require zero prior knowledge or experience and for a starter they are excellent.

They may shield from viruses and some of the stupid mistakes, but they can not completely shield from bad human behavior.  Maybe Trezor does not include the warning too often or in a bold enough font in their product instructions, DO NOT SHARE THE SEED WITH ANYBODY, NOT EVEN WITH US.  Maybe they should actually add this to the welcome screen, and I am not even joking.  Too many people fall for this.

[rdluffy]

To be honest, would anyone who bought a hardwallet fall for a scam like that?
I assume that a user who buys a Trezor, for example, knows the minimum security recommendations to never reveal or write the seed to anyone

You are making the wrong assumption.  Newbies are always recommended Hardware Wallets because they require zero prior knowledge or experience and for a starter they are excellent.

They may shield from viruses and some of the stupid mistakes, but they can not completely shield from bad human behavior.  Maybe Trezor does not include the warning too often or in a bold enough font in their product instructions, DO NOT SHARE THE SEED WITH ANYBODY, NOT EVEN WITH US.  Maybe they should actually add this to the welcome screen, and I am not even joking.  Too many people fall for this.

As I recently bought a Trezor, I have the instructions and the backup paper that they physically send with the wallet 

 

I hope that no one has fallen for these scams. As you said, nothing can be guaranteed when the human do a bad behavior

[PrivacyG]

As I recently bought a Trezor, I have the instructions and the backup paper that they physically send with the wallet 

Humans nowadays do not even read past the title of an article.  It is not the most comfortable thing to do, but it may be better if they add a few key words to the boot screen.  If they do not read the instructions, they will for sure watch the screen upon boot at least once.

Although I would argue it is mainly their fault, the product has instructions for a reason.  But how many people do you know who read the user manual of things they buy?

[libert19]

Keeping your pvk/seed to yourself can save you from all these types of scam attempts, and I agree with PrivacyG above that Trezor should make it further obvious that user is not supposed to share seed, no matter what.

...But how many people do you know who read the user manual of things they buy?

I read myself, but I don't know anybody else who does same. So it's rare indeed.

[Cricktor]

... It is not the most comfortable thing to do, but it may be better if they add a few key words to the boot screen.  If they do not read the instructions, they will for sure watch the screen upon boot at least once.

It could be an optional feature that you can toggle off, once you're fine with all the important advisory messages that your hardware wallet shows you once powered up and which you have to confirm by keypress to dismiss for the moment. A handful of important facts to keep your stash safe, changing every few seconds on the startup screen of the wallet until you dismiss them for the current session.

If you know all of the good advises, you could disable this feature in the settings of the hardware wallet.

Although I would argue it is mainly their fault, the product has instructions for a reason.  But how many people do you know who read the user manual of things they buy?

I must say, I don't have much pity with folks that refuse to read and inform themselves about a sophisticated or more technical product where understanding is crucial to safe operation. As a user you have some obligations. If someone thinks the use of their brain is overrated and optional, well then it's their problem. Less reading, more tears later.

[Pmalek]

To be honest, would anyone who bought a hardwallet fall for a scam like that?

Yes. That's why scammers do all they can to get their hands on big database dumps from crypto users/owners so they can try to trick them into revealing sensitive information. The number of people who fall for a scam doesn't have to be big for the scam to be successful. If they send 1000 fake emails asking potential victims to download a malicious software or enter their seed online and one person with plenty of crypto falls for it, that's success in the eyes of the scammers even if a big majority weren't tricked.

The rules remain the same:
- Never enter your seed anywhere.
- Never download software suggested to you over email.
- Never talk or share private information with unknown people online.

Trezor will never ask for your seed or passphrase. If you know that, it's easy not to fall for phishing scams.

[The Cryptovator]

Though I haven't checked whether I've received mail or not, even if there is an email from Trezor, I don't bother to click on it. Because I don't have business with Trezor since it's not a web wallet. So why should I cooperate with Trezor? Sometimes I see the mail, and I just delete it without reading it. Because I consider them as promotional mail that I really don't need. I feel this is better practice to avoid such mail. From data breach scammers attacking Trezor users. Some might fall into the trap as well.

Even for firmware upgrades or software updates, I don't trust the apps notifications. I just go to their official website by typing the address and update my software. Because on Electrum we have seen how scammers were able to send notifications on the apps that force the download of fake software or malware. So always need to verify the official sources. Because it's related to the funds, and we need to be very careful.

[Lucius]

~snip~
Even for firmware upgrades or software updates, I don't trust the apps notifications. I just go to their official website by typing the address and update my software. Because on Electrum we have seen how scammers were able to send notifications on the apps that force the download of fake software or malware. So always need to verify the official sources. Because it's related to the funds, and we need to be very careful.

Isn't it easier (safer) to save the original link to your favorites and then use it every time you need it? Typing an address is error-prone and just one wrong letter can lead you to a phishing address.

Sending messages via e-mail and exploiting a vulnerability in an official app is something completely different. What hackers did with Electrum 7 years ago, if I'm not mistaken, was truly brilliant (for them, of course).

[Forsyth Jones]

~snip~
Even for firmware upgrades or software updates, I don't trust the apps notifications. I just go to their official website by typing the address and update my software. Because on Electrum we have seen how scammers were able to send notifications on the apps that force the download of fake software or malware. So always need to verify the official sources. Because it's related to the funds, and we need to be very careful.

Isn't it easier (safer) to save the original link to your favorites and then use it every time you need it? Typing an address is error-prone and just one wrong letter can lead you to a phishing address.

Sending messages via e-mail and exploiting a vulnerability in an official app is something completely different. What hackers did with Electrum 7 years ago, if I'm not mistaken, was truly brilliant (for them, of course).

Yes, it was indeed a very well-executed social engineering tactic, but unfortunately, the lightning bolt of knowledge struck the wrong house, the criminal.

I don't remember exactly how this attack happened, as it was so long ago (if I'm not mistaken, it involved malicious servers exploiting a vulnerability that allowed notification pop-ups to be displayed to users, tricking them into thinking it was an Electrum wallet procedure).

Likewise, we must always be alert, identifying any non-standard procedures with these wallets (e.g., Electrum displays a message in the footer informing that there's a new version of Electrum, but the update is never performed through the app; instead, there's a link to the official website). Likewise, we must be careful with our hardware wallets, downloading, for example, the Trezor Suite from the official website (and preferably saving it in the browser), verifying that the software behaves as in previous versions, and always carefully reviewing the information displayed on the screen of these devices.

Everyone is already tired of knowing, never, under any circumstances, provide the seed phrase (or passphrase), even if the hardware wallet software is requesting it (because in this case it's a trojan pretending to be the official software).

[Pmalek]

Even for firmware upgrades or software updates, I don't trust the apps notifications. I just go to their official website by typing the address and update my software. Because on Electrum we have seen how scammers were able to send notifications on the apps that force the download of fake software or malware.

A small correction here. People weren't forced to download the malicious Electrum apps. They were tricked to do it voluntarily after seeing the notification pop-ups sent by the scammers and server operators. That made them think it was urgent to upgrade, so they did it.

Isn't it easier (safer) to save the original link to your favorites and then use it every time you need it? Typing an address is error-prone and just one wrong letter can lead you to a phishing address.

Accessing websites from saved bookmarks is indeed safer. However, your browser remembers your browsing history unless you delete it every time. If you want to visit a familar website, all you have to do is enter the first couple of characters in the search bar and the browser takes care of the rest.