Trezor Data Breach Phishing: Difference between revisions
(Initial 30 minutes sent. Down to 4 sources left.) |
(Another 30 minutes complete.) |
||
| Line 1: | Line 1: | ||
{{ | {{Case Study Under Construction}}[[File:Trezor.jpg|thumb|Trezor]]Multiple users of the Trezor hardware wallet had their email addresses compromised, and the phishing attacker sent out a realistic, typo-free, and well planned attack complete with an altered version of the application, which requested their seed phrase. While the total value of the loss hasn't been publicized, at least one user was found who was reported to have entered the seed phrase and lost significant funds. There is no evidence that any funds will be recovered. | ||
[[File:Trezor.jpg|thumb|Trezor]]Multiple users of the Trezor hardware wallet had their email addresses compromised, and the phishing attacker sent out a realistic, typo-free, and well planned attack complete with an altered version of the application, which requested their seed phrase. While the total value of the loss hasn't been publicized, at least one user was found who was reported to have entered the seed phrase and lost significant funds. There is no evidence that any funds will be recovered. | |||
== About Trezor == | == About Trezor == | ||
| Line 15: | Line 10: | ||
"The first generation of Trezor, first released on 29 July 2014, is currently known as Trezor One. The next-generation device is called Trezor Model T and was released on 26 February 2018." | "The first generation of Trezor, first released on 29 July 2014, is currently known as Trezor One. The next-generation device is called Trezor Model T and was released on 26 February 2018." | ||
=== Notice Of Breach Received === | |||
Trezor users received an email informing them that their personal information had been compromised and of the potential that their assets might be at risk. The email instructed them to download the latest version of Trezor Suite and set up a new PIN for their wallet.<blockquote>"We regret to inform you that Trezor has experienced a security incident involving data belonging to 106,856 of our customers, and that the wallet associated with your email address is within those affected by the breach." | |||
"We regret to inform you that Trezor has experienced a security incident involving data belonging to 106,856 of our customers, and that the wallet associated with your email address is within those affected by the breach." | |||
"Namely, on Saturday, April 2nd, 2022, our security team discovered that one of the Trezor Suite administrative servers had been accessed by an unauthorized malicious actor." "At the moment, it's technically impossible to accurately assess the scope of the data breach. Due to these circumstances, if you've recently accessed your wallet using Trezor Suite, we must assume that your cryptocurrency assets are at risk of being stolen." | "Namely, on Saturday, April 2nd, 2022, our security team discovered that one of the Trezor Suite administrative servers had been accessed by an unauthorized malicious actor." "At the moment, it's technically impossible to accurately assess the scope of the data breach. Due to these circumstances, if you've recently accessed your wallet using Trezor Suite, we must assume that your cryptocurrency assets are at risk of being stolen." | ||
| Line 31: | Line 17: | ||
"In the spirit of transparency, we wanted to make our customers aware of this incident before malicious actors could utilize this information to their detriment. We felt time was of the essence, and we are expediently working through our investigation." | "In the spirit of transparency, we wanted to make our customers aware of this incident before malicious actors could utilize this information to their detriment. We felt time was of the essence, and we are expediently working through our investigation." | ||
"If you're receiving this e-mail, it's because you've been affected by the breach. In order to protect your assets, please download the latest version of Trezor Suite and follow the instructions to set up a new PIN for your wallet." | "If you're receiving this e-mail, it's because you've been affected by the breach. In order to protect your assets, please download the latest version of Trezor Suite and follow the instructions to set up a new PIN for your wallet."</blockquote> | ||
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events. | The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events. | ||
| Line 81: | Line 36: | ||
* Anything that wasn't reasonably knowable at the time of the event. | * Anything that wasn't reasonably knowable at the time of the event. | ||
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page. | There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page. | ||
== About Mailchimp == | |||
TBD - Fill in details here. | |||
== The Reality == | == The Reality == | ||
Phishing is an online scam where criminals impersonate legitimate organizations to steal sensitive information. Phishing attacks are on the rise globally, with a significant increase during the COVID-19 pandemic, and they account for a large portion of data breaches<ref>[https://watcher.guru/news/trezor-data-breach-phishing-emails Possible data breach for Trezor as users report string of phishing emails - Watcher.Guru] (Jun 20, 2023)</ref>. | |||
"The Mailchimp security team disclosed that a malicious actor accessed an internal tool used by customer-facing teams for customer support and account administration. The bad actor gained access to this tool as a result of a successful social engineering attack on Mailchimp employees." | |||
"Unauthorized actors have attempted to contact Trezor users posing as the firm to scam unaware users out of their investments. Users received an email about downloading an app from a similar domain called ‘trezor.us’ instead of the official Trezor domain name, ‘trezor.io.’" | |||
This sections is included if a case involved deception or information that was unknown at the time. Examples include: | This sections is included if a case involved deception or information that was unknown at the time. Examples include: | ||
| Line 91: | Line 58: | ||
== What Happened == | == What Happened == | ||
Users who followed the instructions in the email (from trezor.us instead of trezor.io) downloaded malware to their computer which mimicked the functionality of the Trezor Suite. This malware requested them to enter their seed phrase as part of the setup process. Once the seed phrase had been entered, it was transmitted to the attackers, and the attackers were able to sweep all funds from their wallet. | |||
{| class="wikitable" | {| class="wikitable" | ||
|+Key Event Timeline - Trezor Data Breach Phishing | |+Key Event Timeline - Trezor Data Breach Phishing | ||
| Line 113: | Line 80: | ||
|Crosspost to Bitcoin Subreddit | |Crosspost to Bitcoin Subreddit | ||
|The phishing attack is crossposted to the Bitcoin subreddit<ref name="reddit-7722" />. | |The phishing attack is crossposted to the Bitcoin subreddit<ref name="reddit-7722" />. | ||
|- | |||
|April 3rd, 2022 3:23:00 AM MDT | |||
|Trezor Announces Investigation | |||
|Trezor announces on Twitter that they are in the process of "investigating a potential data breach of an opt-in newsletter hosted on MailChimp". "A scam email warning of a data breach is circulating. Do not open any email originating from noreply@trezor.us, it is a phishing domain."<ref name="trezortwitter-8370" /> | |||
|- | |- | ||
|April 3rd, 2022 4:04:00 AM MDT | |April 3rd, 2022 4:04:00 AM MDT | ||
| Line 121: | Line 92: | ||
|CoinTelegraph Article | |CoinTelegraph Article | ||
|CoinTelegraph posts an article covering the situation<ref>[https://web.archive.org/web/20220403103056/https://cointelegraph.com/news/trezor-investigates-potential-data-breach-as-users-cite-phishing-attacks Trezor investigates potential data breach as users cite phishing attacks - CoinTelegraph Archive April 3rd, 2022 4:30:56 AM MDT] (Apr 18, 2023)</ref>. "While Trezor attempts to identify the root cause of the situation with an official investigation, users are advised not to click on links coming from unofficial sources until further notice." <ref name="eteq-7726" /> TBD article was updated. | |CoinTelegraph posts an article covering the situation<ref>[https://web.archive.org/web/20220403103056/https://cointelegraph.com/news/trezor-investigates-potential-data-breach-as-users-cite-phishing-attacks Trezor investigates potential data breach as users cite phishing attacks - CoinTelegraph Archive April 3rd, 2022 4:30:56 AM MDT] (Apr 18, 2023)</ref>. "While Trezor attempts to identify the root cause of the situation with an official investigation, users are advised not to click on links coming from unofficial sources until further notice." <ref name="eteq-7726" /> TBD article was updated. | ||
|- | |||
|April 3rd, 2022 5:12:00 AM MDT | |||
|Watcher.Guru Article | |||
|Watcher.Guru announces the situation and publishes an article<ref name="watchergurutwitter-7731" /><ref name="watcherguru-7730" />. Trezor, a cryptocurrency hardware wallet provider, is investigating a potential data breach that has affected its users and may have exposed their personal information. The issue was brought to light when Twitter users reported receiving phishing emails targeting Trezor users. The fraudulent emails claim that Trezor experienced a security incident and urge users to download an app from an unofficial domain. Trezor suspects that the compromised email addresses were part of a newsletter list hosted by email marketing service provider Mailchimp, which confirmed that their service was breached by an insider targeting crypto companies. Trezor advises users to avoid clicking on links from unofficial sources and to update their firmware or software only through the official Trezor website. | |||
|- | |- | ||
|April 3rd, 2022 10:04:00 AM MDT | |April 3rd, 2022 10:04:00 AM MDT | ||
| Line 126: | Line 101: | ||
|FXEmpire posts an article about the phishing attack. The article is later reposted to Yahoo Finance<ref name="yahoofinance-7725" /> within several hours<ref>[https://web.archive.org/web/20220403230626/https://finance.yahoo.com/news/trezor-issues-data-breach-warning-160241180.html Trezor Issues Data Breach Warning As Users Cite Phishing Attacks - Yahoo Finance Archive April 3rd, 2022 5:06:26 PM MDT] (Apr 18, 2023)</ref>. | |FXEmpire posts an article about the phishing attack. The article is later reposted to Yahoo Finance<ref name="yahoofinance-7725" /> within several hours<ref>[https://web.archive.org/web/20220403230626/https://finance.yahoo.com/news/trezor-issues-data-breach-warning-160241180.html Trezor Issues Data Breach Warning As Users Cite Phishing Attacks - Yahoo Finance Archive April 3rd, 2022 5:06:26 PM MDT] (Apr 18, 2023)</ref>. | ||
|- | |- | ||
| | |April 5th, 2022 1:33:19 PM MDT | ||
| | |Migliaccio & Rathod LLP Investigation | ||
| | |Law firm Migliaccio & Rathod LLP are reportedly investigating a potential class action against Trezor "for failing to adequately safeguard consumer information, resulting in a data breach"<ref name="classlawdc-7729" />. The breach, initially reported in March 2022, exposed the email addresses of users who had subscribed to Trezor's newsletter through MailChimp. The leaked email addresses have led to phishing scams targeting hardware wallet owners, aiming to obtain their 12-word recovery seeds and steal cryptocurrency assets. In addition to email addresses, the breach may have exposed users' phone numbers, addresses, and account passwords, which can be exploited in sophisticated attacks on recovery seeds. Users can anticipate an increase in both the number and complexity of phishing attempts, with some potentially experiencing multiple scareware attacks. If affected by the breach, Trezor users are encouraged to contact Migliaccio & Rathod LLP for assistance. | ||
|} | |} | ||
== Technical Details == | |||
"When you click on the link in the phishing email you are directed to download a Trezor Suite lookalike app, that will ask you to connect your wallet and enter your seed. The seed is compromised once you enter it into the app, and your funds will then be immediately transferred to the attackers wallet." | |||
"This attack is exceptional in its sophistication and was clearly planned to a high level of detail. The phishing application is a cloned version of Trezor Suite with very realistic functionality, and also included a web version of the app." | |||
"Wow, @Trezor, this is the best phishing attempt I have seen in the last few years. I am really lucky I don't have Trezor, because if I had, I would probably actually download that update." | |||
"For this attack to be successful, users had to install the malicious software on their devices, at which point their operating system should identify that the software comes from an unknown source. This warning should not be ignored, all official software is digitally signed by SatoshiLabs." | |||
== Total Amount Lost == | == Total Amount Lost == | ||
| Line 138: | Line 126: | ||
== Immediate Reactions == | == Immediate Reactions == | ||
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed? | How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed? | ||
"Trezor wallet owners did not have a good Sunday morning after the hardware wallet provider revealed that some of its users were the target of a phishing attack over the weekend. On April 3, Crypto Twitter was filled with community warnings about an ongoing email phishing campaign targeting Trezor users via their registered email addresses." | |||
"Very convincing Trezor phishing scam being sent from trezor.us. Most likely leaked emails from HubSpot breach or other crypto-adjacent lists." | |||
"Asks you to download latest Trezor software suite to address the security condition." | |||
"I happen to have clicked on the update and upon checking my wallet balance afterward, I realized both my bitcoin and Ethereum in the account were sent to unknown addresses in a space of 4 minutes interval." | |||
"Can someone please advise me on what best to do now and if I can ever be able to recover my coins? All suggestions will be appreciated as it is a substantial amount." | |||
“We immediately took steps to disable phishing sites and are taking further steps to stop the continuation of this phishing attack.” — Tomáš Sušánka, CTO of Trezor. | |||
"Cryptocurrency hardware wallet provider Trezor has begun formally investigating a possible data breach that has affected numerous users and may have compromised their personal information." "Trezor initially suspected that the compromised email addresses belonged to a list of users who opted-in for newsletters hosted on an American email marketing service provider Mailchimp." | |||
"The firm has begun investigating the data breach and has confirmed that its service has been compromised by ‘an insider targeting crypto companies.’ As the firm officially investigates the total number of stolen email addresses, they have advised users not to click on links coming from unofficial sources until further notice." | |||
"With this recent leak of personal information, Trezor users can expect an uptick in both the number of phishing attempts and their level of complexity. Some customers may even be the target of multiple “scareware” attacks, where threat actors use the compromised information to generate shock and anxiety in their targets, as to more easily manipulate them." | |||
=== Users Report Phishing on Twitter === | === Users Report Phishing on Twitter === | ||
| Line 149: | Line 157: | ||
== Ultimate Outcome == | == Ultimate Outcome == | ||
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done? | What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done? | ||
"Trezor customer order data is purged after 90 days. The data contained in this leak originates from a separate database secured by a third party." | |||
"We are actively warning customers about the ongoing phishing attacks, having published warnings on our website and social media, and also within the Trezor Suite app. Please help us spread the word and minimize the harm these scammers cause." | |||
"We have already taken down many of the malicious sites associated with today’s attack. The team is working around the clock to bring the phishing sites down as soon as possible." | |||
"While Trezor makes an try to determine the idea cause for the state of affairs with an official investigation, prospects are instructed to not click on on on hyperlinks coming from unofficial sources until extra uncover." "The only reason to worry about your funds is if you entered your seed into the malicious app. Your device can not be compromised or affected by this attack without explicitly typing your seed into your computer. Never enter your seed anywhere unless your Trezor device tells you to!" | |||
== Total Amount Recovered == | == Total Amount Recovered == | ||
| Line 157: | Line 174: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
=== Potential Class Action Lawsuit === | |||
Law firm Migliaccio & Rathod LLP are reportedly investigating a potential class action against Trezor "for failing to adequately safeguard consumer information, resulting in a data breach"<ref name="classlawdc-7729" />. The breach, initially reported in March 2022, exposed the email addresses of users who had subscribed to Trezor's newsletter through MailChimp. The leaked email addresses have led to phishing scams targeting hardware wallet owners, aiming to obtain their 12-word recovery seeds and steal cryptocurrency assets. In addition to email addresses, the breach may have exposed users' phone numbers, addresses, and account passwords, which can be exploited in sophisticated attacks on recovery seeds. Users can anticipate an increase in both the number and complexity of phishing attempts, with some potentially experiencing multiple scareware attacks. If affected by the breach, Trezor users are encouraged to contact Migliaccio & Rathod LLP for assistance. | |||
== General Prevention Policies == | == General Prevention Policies == | ||
Trezor put together a number of tips, but the largest tip is that hardware wallet users should never be entering their seed phrase anywhere except as instructed on the screen of the hardware device itself. | Trezor put together a number of tips, but the largest tip is that hardware wallet users should never be entering their seed phrase anywhere except as instructed on the screen of the hardware device itself. | ||
| Line 186: | Line 206: | ||
<ref name="josearkanostwitter-7727">[https://twitter.com/josearkanos/status/1510427249526427662 josearkanos - "Hey trezor, are you aware of a phishing campaign going on? I just received this email with my actual email on it. It looked very legit." - Twitter] (May 21, 2022)</ref> | <ref name="josearkanostwitter-7727">[https://twitter.com/josearkanos/status/1510427249526427662 josearkanos - "Hey trezor, are you aware of a phishing campaign going on? I just received this email with my actual email on it. It looked very legit." - Twitter] (May 21, 2022)</ref> | ||
<ref name="keff85twitter-7728">[https://twitter.com/keff85/status/1510400852716052480 Tomáš Kafka - "Wow, @Trezor, this is the best phishing attempt I have seen in the last few years. I am really lucky I don't have Trezor, because if I had, I would probably actually download that update." - Twitter] (May 21, 2022)</ref> | <ref name="keff85twitter-7728">[https://twitter.com/keff85/status/1510400852716052480 Tomáš Kafka - "Wow, @Trezor, this is the best phishing attempt I have seen in the last few years. I am really lucky I don't have Trezor, because if I had, I would probably actually download that update." - Twitter] (May 21, 2022)</ref> | ||
<ref name="classlawdc-7729">[https://classlawdc.com/2022/04/05/trezor-cryptocurrency-wallet-data-breach-investigation/ Trezor Cryptocurrency Wallet Data Breach Investigation | <ref name="classlawdc-7729">[https://classlawdc.com/2022/04/05/trezor-cryptocurrency-wallet-data-breach-investigation/ Trezor Cryptocurrency Wallet Data Breach Investigation - Migliaccio & Rathod LLP] (May 21, 2022)</ref> | ||
<ref name="watcherguru-7730">[https://watcher.guru/news/trezor-data-breach-phishing-emails Possible data breach for Trezor as users report string of phishing emails] (May 21, 2022)</ref> | <ref name="watcherguru-7730">[https://watcher.guru/news/trezor-data-breach-phishing-emails Possible data breach for Trezor as users report string of phishing emails - Watcher.Guru] (May 21, 2022)</ref> | ||
<ref name="watchergurutwitter-7731">[https://twitter.com/WatcherGuru/status/1510576038610452480 | <ref name="watchergurutwitter-7731">[https://twitter.com/WatcherGuru/status/1510576038610452480 WatcherGuru - "JUST IN: Trezor is investigating a possible data breach after several users reported an ongoing email phishing campaign." - Twitter] (May 21, 2022)</ref> | ||
<ref name="trezortwitter-8370">[https://twitter.com/trezor/status/1510548489884815361 @trezor Twitter] (Jul 6, 2022)</ref> | <ref name="trezortwitter-8370">[https://twitter.com/trezor/status/1510548489884815361 trezor - "We are investigating a potential data breach of an opt-in newsletter hosted on MailChimp. A scam email warning of a data breach is circulating. Do not open any email originating from noreply@trezor.us, it is a phishing domain." - Twitter] (Jul 6, 2022)</ref> | ||
</references> | </references> | ||
Revision as of 11:15, 21 June 2023
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Multiple users of the Trezor hardware wallet had their email addresses compromised, and the phishing attacker sent out a realistic, typo-free, and well planned attack complete with an altered version of the application, which requested their seed phrase. While the total value of the loss hasn't been publicized, at least one user was found who was reported to have entered the seed phrase and lost significant funds. There is no evidence that any funds will be recovered.
About Trezor
"Trezor (or Trezor device) is the original and most trusted cryptocurrency hardware wallet designed and marketed by SatoshiLabs." "The safe place for your coins." "Store your coins with Trezor."
"The primary function of Trezor is to serve as a hardware wallet for cryptocurrencies. In addition to its primary function, it has many other security applications, such as password management and second-factor authentication." "Hardware wallet is the safest way to manage & trade your cryptocurrencies." "Online exchanges and wallet providers can disappear, go offline, be hacked. They are not reliable. Go offline. Store your coins with Trezor. Hardware wallet is the safest way to manage & trade your cryptocurrencies."
"The first generation of Trezor, first released on 29 July 2014, is currently known as Trezor One. The next-generation device is called Trezor Model T and was released on 26 February 2018."
Notice Of Breach Received
Trezor users received an email informing them that their personal information had been compromised and of the potential that their assets might be at risk. The email instructed them to download the latest version of Trezor Suite and set up a new PIN for their wallet.
"We regret to inform you that Trezor has experienced a security incident involving data belonging to 106,856 of our customers, and that the wallet associated with your email address is within those affected by the breach."
"Namely, on Saturday, April 2nd, 2022, our security team discovered that one of the Trezor Suite administrative servers had been accessed by an unauthorized malicious actor." "At the moment, it's technically impossible to accurately assess the scope of the data breach. Due to these circumstances, if you've recently accessed your wallet using Trezor Suite, we must assume that your cryptocurrency assets are at risk of being stolen."
"In the spirit of transparency, we wanted to make our customers aware of this incident before malicious actors could utilize this information to their detriment. We felt time was of the essence, and we are expediently working through our investigation."
"If you're receiving this e-mail, it's because you've been affected by the breach. In order to protect your assets, please download the latest version of Trezor Suite and follow the instructions to set up a new PIN for your wallet."
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
About Mailchimp
TBD - Fill in details here.
The Reality
Phishing is an online scam where criminals impersonate legitimate organizations to steal sensitive information. Phishing attacks are on the rise globally, with a significant increase during the COVID-19 pandemic, and they account for a large portion of data breaches[4].
"The Mailchimp security team disclosed that a malicious actor accessed an internal tool used by customer-facing teams for customer support and account administration. The bad actor gained access to this tool as a result of a successful social engineering attack on Mailchimp employees."
"Unauthorized actors have attempted to contact Trezor users posing as the firm to scam unaware users out of their investments. Users received an email about downloading an app from a similar domain called ‘trezor.us’ instead of the official Trezor domain name, ‘trezor.io.’"
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
Users who followed the instructions in the email (from trezor.us instead of trezor.io) downloaded malware to their computer which mimicked the functionality of the Trezor Suite. This malware requested them to enter their seed phrase as part of the setup process. Once the seed phrase had been entered, it was transmitted to the attackers, and the attackers were able to sweep all funds from their wallet.
| Date | Event | Description |
|---|---|---|
| April 2nd, 2022 5:32:42 PM MDT | Phishing Posted on Reddit | The Trezor phishing attacks are posted about on Reddit[5]. |
| April 2nd, 2022 5:36:00 PM MDT | Tomáš Kafka Tweets Screenshot | Twitter user Tomáš Kafka shared a screenshot of the phishing attempt he received and said he was "really lucky" he didn't have a Trezor, because if he did, he "would probably actually download that update"[6]. |
| April 2nd, 2022 7:21:00 PM MDT | Jose Arkos Tweets Screenshot | A screenshot of the phishing email is shared by Twitter user josearkos[7]. |
| April 2nd, 2022 8:45:37 PM MDT | Crosspost to Bitcoin Subreddit | The phishing attack is crossposted to the Bitcoin subreddit[8]. |
| April 3rd, 2022 3:23:00 AM MDT | Trezor Announces Investigation | Trezor announces on Twitter that they are in the process of "investigating a potential data breach of an opt-in newsletter hosted on MailChimp". "A scam email warning of a data breach is circulating. Do not open any email originating from noreply@trezor.us, it is a phishing domain."[9] |
| April 3rd, 2022 4:04:00 AM MDT | Trezor Confirms MailChimp Breach | Trezor confirms the breach in a tweet. They state that it's been confirmed by MailChimp. They state it appears to be an insider targeting crypto companies, they've managed to take the domains down, and not to open any emails from them until further notice[10]. |
| April 3rd, 2022 4:29:00 AM MDT | CoinTelegraph Article | CoinTelegraph posts an article covering the situation[11]. "While Trezor attempts to identify the root cause of the situation with an official investigation, users are advised not to click on links coming from unofficial sources until further notice." [12] TBD article was updated. |
| April 3rd, 2022 5:12:00 AM MDT | Watcher.Guru Article | Watcher.Guru announces the situation and publishes an article[13][14]. Trezor, a cryptocurrency hardware wallet provider, is investigating a potential data breach that has affected its users and may have exposed their personal information. The issue was brought to light when Twitter users reported receiving phishing emails targeting Trezor users. The fraudulent emails claim that Trezor experienced a security incident and urge users to download an app from an unofficial domain. Trezor suspects that the compromised email addresses were part of a newsletter list hosted by email marketing service provider Mailchimp, which confirmed that their service was breached by an insider targeting crypto companies. Trezor advises users to avoid clicking on links from unofficial sources and to update their firmware or software only through the official Trezor website. |
| April 3rd, 2022 10:04:00 AM MDT | FXEmpire Article | FXEmpire posts an article about the phishing attack. The article is later reposted to Yahoo Finance[15] within several hours[16]. |
| April 5th, 2022 1:33:19 PM MDT | Migliaccio & Rathod LLP Investigation | Law firm Migliaccio & Rathod LLP are reportedly investigating a potential class action against Trezor "for failing to adequately safeguard consumer information, resulting in a data breach"[17]. The breach, initially reported in March 2022, exposed the email addresses of users who had subscribed to Trezor's newsletter through MailChimp. The leaked email addresses have led to phishing scams targeting hardware wallet owners, aiming to obtain their 12-word recovery seeds and steal cryptocurrency assets. In addition to email addresses, the breach may have exposed users' phone numbers, addresses, and account passwords, which can be exploited in sophisticated attacks on recovery seeds. Users can anticipate an increase in both the number and complexity of phishing attempts, with some potentially experiencing multiple scareware attacks. If affected by the breach, Trezor users are encouraged to contact Migliaccio & Rathod LLP for assistance. |
Technical Details
"When you click on the link in the phishing email you are directed to download a Trezor Suite lookalike app, that will ask you to connect your wallet and enter your seed. The seed is compromised once you enter it into the app, and your funds will then be immediately transferred to the attackers wallet."
"This attack is exceptional in its sophistication and was clearly planned to a high level of detail. The phishing application is a cloned version of Trezor Suite with very realistic functionality, and also included a web version of the app."
"Wow, @Trezor, this is the best phishing attempt I have seen in the last few years. I am really lucky I don't have Trezor, because if I had, I would probably actually download that update."
"For this attack to be successful, users had to install the malicious software on their devices, at which point their operating system should identify that the software comes from an unknown source. This warning should not be ignored, all official software is digitally signed by SatoshiLabs."
Total Amount Lost
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
"Trezor wallet owners did not have a good Sunday morning after the hardware wallet provider revealed that some of its users were the target of a phishing attack over the weekend. On April 3, Crypto Twitter was filled with community warnings about an ongoing email phishing campaign targeting Trezor users via their registered email addresses."
"Very convincing Trezor phishing scam being sent from trezor.us. Most likely leaked emails from HubSpot breach or other crypto-adjacent lists."
"Asks you to download latest Trezor software suite to address the security condition."
"I happen to have clicked on the update and upon checking my wallet balance afterward, I realized both my bitcoin and Ethereum in the account were sent to unknown addresses in a space of 4 minutes interval."
"Can someone please advise me on what best to do now and if I can ever be able to recover my coins? All suggestions will be appreciated as it is a substantial amount."
“We immediately took steps to disable phishing sites and are taking further steps to stop the continuation of this phishing attack.” — Tomáš Sušánka, CTO of Trezor.
"Cryptocurrency hardware wallet provider Trezor has begun formally investigating a possible data breach that has affected numerous users and may have compromised their personal information." "Trezor initially suspected that the compromised email addresses belonged to a list of users who opted-in for newsletters hosted on an American email marketing service provider Mailchimp."
"The firm has begun investigating the data breach and has confirmed that its service has been compromised by ‘an insider targeting crypto companies.’ As the firm officially investigates the total number of stolen email addresses, they have advised users not to click on links coming from unofficial sources until further notice."
"With this recent leak of personal information, Trezor users can expect an uptick in both the number of phishing attempts and their level of complexity. Some customers may even be the target of multiple “scareware” attacks, where threat actors use the compromised information to generate shock and anxiety in their targets, as to more easily manipulate them."
Users Report Phishing on Twitter
Users Confirming Phishing on Reddit
Several other users also confirmed that they were contacted by the same phishing attempt, many on email addresses which were unique and only used for Trezor.[5] TBD expand.
Trezor Acknowledges The Breach
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
"Trezor customer order data is purged after 90 days. The data contained in this leak originates from a separate database secured by a third party."
"We are actively warning customers about the ongoing phishing attacks, having published warnings on our website and social media, and also within the Trezor Suite app. Please help us spread the word and minimize the harm these scammers cause."
"We have already taken down many of the malicious sites associated with today’s attack. The team is working around the clock to bring the phishing sites down as soon as possible."
"While Trezor makes an try to determine the idea cause for the state of affairs with an official investigation, prospects are instructed to not click on on on hyperlinks coming from unofficial sources until extra uncover." "The only reason to worry about your funds is if you entered your seed into the malicious app. Your device can not be compromised or affected by this attack without explicitly typing your seed into your computer. Never enter your seed anywhere unless your Trezor device tells you to!"
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Potential Class Action Lawsuit
Law firm Migliaccio & Rathod LLP are reportedly investigating a potential class action against Trezor "for failing to adequately safeguard consumer information, resulting in a data breach"[17]. The breach, initially reported in March 2022, exposed the email addresses of users who had subscribed to Trezor's newsletter through MailChimp. The leaked email addresses have led to phishing scams targeting hardware wallet owners, aiming to obtain their 12-word recovery seeds and steal cryptocurrency assets. In addition to email addresses, the breach may have exposed users' phone numbers, addresses, and account passwords, which can be exploited in sophisticated attacks on recovery seeds. Users can anticipate an increase in both the number and complexity of phishing attempts, with some potentially experiencing multiple scareware attacks. If affected by the breach, Trezor users are encouraged to contact Migliaccio & Rathod LLP for assistance.
General Prevention Policies
Trezor put together a number of tips, but the largest tip is that hardware wallet users should never be entering their seed phrase anywhere except as instructed on the screen of the hardware device itself.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ https://trezor.io/ (Feb 20, 2022)
- ↑ https://trezor.io/security/ (Feb 20, 2022)
- ↑ https://wiki.trezor.io/Trezor (May 21, 2022)
- ↑ Possible data breach for Trezor as users report string of phishing emails - Watcher.Guru (Jun 20, 2023)
- ↑ 5.0 5.1 Trezor Phishing Scam : TREZOR (Apr 2, 2022)
- ↑ Tomáš Kafka - "Wow, @Trezor, this is the best phishing attempt I have seen in the last few years. I am really lucky I don't have Trezor, because if I had, I would probably actually download that update." - Twitter (May 21, 2022)
- ↑ 7.0 7.1 josearkanos - "Hey trezor, are you aware of a phishing campaign going on? I just received this email with my actual email on it. It looked very legit." - Twitter (May 21, 2022)
- ↑ Trezor breach? Real or just a scam email? : Bitcoin (Apr 2, 2022)
- ↑ trezor - "We are investigating a potential data breach of an opt-in newsletter hosted on MailChimp. A scam email warning of a data breach is circulating. Do not open any email originating from noreply@trezor.us, it is a phishing domain." - Twitter (Jul 6, 2022)
- ↑ Trezor - "MailChimp have confirmed that their service has been compromised by an insider targeting crypto companies." - Twitter (May 21, 2022)
- ↑ Trezor investigates potential data breach as users cite phishing attacks - CoinTelegraph Archive April 3rd, 2022 4:30:56 AM MDT (Apr 18, 2023)
- ↑ Trezor investigates potential data breach as users cite phishing attacks - CoinTelegraph (May 21, 2022)
- ↑ WatcherGuru - "JUST IN: Trezor is investigating a possible data breach after several users reported an ongoing email phishing campaign." - Twitter (May 21, 2022)
- ↑ Possible data breach for Trezor as users report string of phishing emails - Watcher.Guru (May 21, 2022)
- ↑ Trezor Issues Data Breach Warning As Users Cite Phishing Attacks - Yahoo Finance (May 21, 2022)
- ↑ Trezor Issues Data Breach Warning As Users Cite Phishing Attacks - Yahoo Finance Archive April 3rd, 2022 5:06:26 PM MDT (Apr 18, 2023)
- ↑ 17.0 17.1 Trezor Cryptocurrency Wallet Data Breach Investigation - Migliaccio & Rathod LLP (May 21, 2022)