Trezor Data Breach Phishing

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 10:40, 27 June 2023 by Azoundria (talk | contribs) (Another 30 minutes complete.)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Trezor

Multiple users of the Trezor hardware wallet had their email addresses compromised, and the phishing attacker sent out a realistic, typo-free, and well planned attack complete with an altered version of the application, which requested their seed phrase. While the total value of the loss hasn't been publicized, at least one user was found who was reported to have entered the seed phrase and lost significant funds. There is no evidence that any funds will be recovered.

About Trezor

Trezor hardware wallet are created by SatoshiLabs[1] and used mainly for securely storing Bitcoin and other cryptocurrencies[2][3], though it also offers additional security features like password management and two-factor authentication[1]. The original version, Trezor One, was released in 2014, while the newer version, Trezor Model T, came out in 2018[1]. Both provide advanced security features to protect users' digital assets[2]. Storing cryptocurrency data online is considered risky due to the potential for hacking and data breaches, but Trezor hardware wallets offer offline storage, ensuring the safety of coins and reducing the risk of theft[2][4].

Trezor emphasizes the security and privacy benefits of their hardware wallets[4]. Trezor has gained trust and recognition through independent security audits, its open-source nature, and its user-friendly interface called Trezor Wallet[1]. It supports over 1,000 coins and tokens and is compatible with various third-party wallets and services[1]. Trezor can be purchased from their official online store or authorized resellers, and they have partnerships and developer resources available[1].

Trezor wallets securely generate and store seed phrases offline, reducing the risk of insecure generation or online storage[4]. They also emphasize hands-on confirmation through features like PIN and passphrase protection, adding an extra layer of security. Trezor's open-source design promotes trust and transparency, allowing users to verify and contribute to the code[4]. They offer a range of security features within their Trezor Suite app, such as address signing, transaction anonymization, and support for the Tor network for anonymous communication[4]. Trezor values customer feedback and encourages bug reporting to ensure continuous improvement of their security products[4].

The Trezor Suite app allows users to connect their wallet and manage their assets conveniently, with features such as secure trading, portfolio tracking, and easy wallet recovery[2]. Trezor emphasizes trust, transparency, and independence, with an open-source design and a strong foundation in privacy and security[2]. With over 10 years in the crypto industry, Trezor has gained the trust of over 1 million customers and is recognized as an industry innovator in hardware wallets[2].

Trezor typically comes with a hardware wallet device, a connector wire, and recovery seed booklets[3]. The recovery seed is crucial for accessing funds in case the device is lost[3]. The user would typically visit the Trezor website for the setup process, which starts with updating the firmware and confirming the device's identification number[3]. The user then sets up a PIN for accessing the wallet[3]. The PIN is entered using a number matrix displayed on the computer screen[3].

The recovery seed consists of 24 words that need to be written down and stored in two separate secure locations[3]. User are typically strongly advised against creating digital copies to prevent the risk of theft or loss due to hacking or accidents[3]. It is also suggested to test the wallet with a small amount of money before transferring larger amounts[3]. Even if the device is lost, the funds can be recovered using the recovery seed[3].

Notice Of Breach Received

Trezor users received an email informing them that their personal information had been compromised and of the potential that their assets might be at risk. The email instructed them to download the latest version of Trezor Suite and set up a new PIN for their wallet.

"We regret to inform you that Trezor has experienced a security incident involving data belonging to 106,856 of our customers, and that the wallet associated with your email address is within those affected by the breach."

"Namely, on Saturday, April 2nd, 2022, our security team discovered that one of the Trezor Suite administrative servers had been accessed by an unauthorized malicious actor." "At the moment, it's technically impossible to accurately assess the scope of the data breach. Due to these circumstances, if you've recently accessed your wallet using Trezor Suite, we must assume that your cryptocurrency assets are at risk of being stolen."

"In the spirit of transparency, we wanted to make our customers aware of this incident before malicious actors could utilize this information to their detriment. We felt time was of the essence, and we are expediently working through our investigation."

"If you're receiving this e-mail, it's because you've been affected by the breach. In order to protect your assets, please download the latest version of Trezor Suite and follow the instructions to set up a new PIN for your wallet."

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

About Mailchimp

TBD - Fill in details here.

The Reality

Phishing is an online scam where criminals impersonate legitimate organizations to steal sensitive information. Phishing attacks are on the rise globally, with a significant increase during the COVID-19 pandemic, and they account for a large portion of data breaches[5].


"The Mailchimp security team disclosed that a malicious actor accessed an internal tool used by customer-facing teams for customer support and account administration. The bad actor gained access to this tool as a result of a successful social engineering attack on Mailchimp employees."


"Unauthorized actors have attempted to contact Trezor users posing as the firm to scam unaware users out of their investments. Users received an email about downloading an app from a similar domain called ‘trezor.us’ instead of the official Trezor domain name, ‘trezor.io.’"


This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

Users who followed the instructions in the email (from trezor.us instead of trezor.io) downloaded malware to their computer which mimicked the functionality of the Trezor Suite. This malware requested them to enter their seed phrase as part of the setup process. Once the seed phrase had been entered, it was transmitted to the attackers, and the attackers were able to sweep all funds from their wallet.

Key Event Timeline - Trezor Data Breach Phishing
Date Event Description
April 2nd, 2022 5:32:42 PM MDT Phishing Posted on Reddit The Trezor phishing attacks are posted about on Reddit[6].
April 2nd, 2022 5:36:00 PM MDT Tomáš Kafka Tweets Screenshot Twitter user Tomáš Kafka shared a screenshot of the phishing attempt he received and said he was "really lucky" he didn't have a Trezor, because if he did, he "would probably actually download that update"[7].
April 2nd, 2022 7:21:00 PM MDT Jose Arkos Tweets Screenshot A screenshot of the phishing email is shared by Twitter user josearkos[8].
April 2nd, 2022 8:45:37 PM MDT Crosspost to Bitcoin Subreddit The phishing attack is crossposted to the Bitcoin subreddit[9]. TBD summary.
April 3rd, 2022 2:22:00 AM MDT Graham Cluley Article Graham Cluley publishes an article about the phishing attempt[10]. TBD more summary.
April 3rd, 2022 3:23:00 AM MDT Trezor Announces Investigation Trezor announces on Twitter that they are in the process of "investigating a potential data breach of an opt-in newsletter hosted on MailChimp". "A scam email warning of a data breach is circulating. Do not open any email originating from noreply@trezor.us, it is a phishing domain."[11]
April 3rd, 2022 4:04:00 AM MDT Trezor Confirms MailChimp Breach Trezor confirms the breach in a tweet. They state that it's been confirmed by MailChimp. They state it appears to be an insider targeting crypto companies, they've managed to take the domains down, and not to open any emails from them until further notice[12].
April 3rd, 2022 4:29:00 AM MDT CoinTelegraph Article CoinTelegraph posts an article covering the situation[13]. "While Trezor attempts to identify the root cause of the situation with an official investigation, users are advised not to click on links coming from unofficial sources until further notice." [14] TBD article was updated.
April 3rd, 2022 5:12:00 AM MDT Watcher.Guru Article Watcher.Guru announces the situation and publishes an article[15][16]. Trezor, a cryptocurrency hardware wallet provider, is investigating a potential data breach that has affected its users and may have exposed their personal information. The issue was brought to light when Twitter users reported receiving phishing emails targeting Trezor users. The fraudulent emails claim that Trezor experienced a security incident and urge users to download an app from an unofficial domain. Trezor suspects that the compromised email addresses were part of a newsletter list hosted by email marketing service provider Mailchimp, which confirmed that their service was breached by an insider targeting crypto companies. Trezor advises users to avoid clicking on links from unofficial sources and to update their firmware or software only through the official Trezor website.
April 3rd, 2022 10:04:00 AM MDT FXEmpire Article FXEmpire posts an article about the phishing attack. The article is later reposted to Yahoo Finance[17] within several hours[18].
April 5th, 2022 1:33:19 PM MDT Migliaccio & Rathod LLP Investigation Law firm Migliaccio & Rathod LLP are reportedly investigating a potential class action against Trezor "for failing to adequately safeguard consumer information, resulting in a data breach"[19]. The breach, initially reported in March 2022, exposed the email addresses of users who had subscribed to Trezor's newsletter through MailChimp. The leaked email addresses have led to phishing scams targeting hardware wallet owners, aiming to obtain their 12-word recovery seeds and steal cryptocurrency assets. In addition to email addresses, the breach may have exposed users' phone numbers, addresses, and account passwords, which can be exploited in sophisticated attacks on recovery seeds. Users can anticipate an increase in both the number and complexity of phishing attempts, with some potentially experiencing multiple scareware attacks. If affected by the breach, Trezor users are encouraged to contact Migliaccio & Rathod LLP for assistance.

Technical Details

"When you click on the link in the phishing email you are directed to download a Trezor Suite lookalike app, that will ask you to connect your wallet and enter your seed. The seed is compromised once you enter it into the app, and your funds will then be immediately transferred to the attackers wallet."

"This attack is exceptional in its sophistication and was clearly planned to a high level of detail. The phishing application is a cloned version of Trezor Suite with very realistic functionality, and also included a web version of the app."

"Wow, @Trezor, this is the best phishing attempt I have seen in the last few years. I am really lucky I don't have Trezor, because if I had, I would probably actually download that update."

"For this attack to be successful, users had to install the malicious software on their devices, at which point their operating system should identify that the software comes from an unknown source. This warning should not be ignored, all official software is digitally signed by SatoshiLabs."

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?


"Trezor wallet owners did not have a good Sunday morning after the hardware wallet provider revealed that some of its users were the target of a phishing attack over the weekend. On April 3, Crypto Twitter was filled with community warnings about an ongoing email phishing campaign targeting Trezor users via their registered email addresses."

"Very convincing Trezor phishing scam being sent from trezor.us. Most likely leaked emails from HubSpot breach or other crypto-adjacent lists."

"Asks you to download latest Trezor software suite to address the security condition."


"I happen to have clicked on the update and upon checking my wallet balance afterward, I realized both my bitcoin and Ethereum in the account were sent to unknown addresses in a space of 4 minutes interval."

"Can someone please advise me on what best to do now and if I can ever be able to recover my coins? All suggestions will be appreciated as it is a substantial amount."

“We immediately took steps to disable phishing sites and are taking further steps to stop the continuation of this phishing attack.” — Tomáš Sušánka, CTO of Trezor.

"Cryptocurrency hardware wallet provider Trezor has begun formally investigating a possible data breach that has affected numerous users and may have compromised their personal information." "Trezor initially suspected that the compromised email addresses belonged to a list of users who opted-in for newsletters hosted on an American email marketing service provider Mailchimp."

"The firm has begun investigating the data breach and has confirmed that its service has been compromised by ‘an insider targeting crypto companies.’ As the firm officially investigates the total number of stolen email addresses, they have advised users not to click on links coming from unofficial sources until further notice."

"With this recent leak of personal information, Trezor users can expect an uptick in both the number of phishing attempts and their level of complexity. Some customers may even be the target of multiple “scareware” attacks, where threat actors use the compromised information to generate shock and anxiety in their targets, as to more easily manipulate them."

Users Report Phishing on Twitter

[8]

Users Confirming Phishing on Reddit

Several other users also confirmed that they were contacted by the same phishing attempt, many on email addresses which were unique and only used for Trezor.[6] TBD expand.

Trezor Acknowledges The Breach

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?


"Trezor customer order data is purged after 90 days. The data contained in this leak originates from a separate database secured by a third party."

"We are actively warning customers about the ongoing phishing attacks, having published warnings on our website and social media, and also within the Trezor Suite app. Please help us spread the word and minimize the harm these scammers cause."

"We have already taken down many of the malicious sites associated with today’s attack. The team is working around the clock to bring the phishing sites down as soon as possible."

"While Trezor makes an try to determine the idea cause for the state of affairs with an official investigation, prospects are instructed to not click on on on hyperlinks coming from unofficial sources until extra uncover." "The only reason to worry about your funds is if you entered your seed into the malicious app. Your device can not be compromised or affected by this attack without explicitly typing your seed into your computer. Never enter your seed anywhere unless your Trezor device tells you to!"

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Potential Class Action Lawsuit

Law firm Migliaccio & Rathod LLP are reportedly investigating a potential class action against Trezor "for failing to adequately safeguard consumer information, resulting in a data breach"[19]. The breach, initially reported in March 2022, exposed the email addresses of users who had subscribed to Trezor's newsletter through MailChimp. The leaked email addresses have led to phishing scams targeting hardware wallet owners, aiming to obtain their 12-word recovery seeds and steal cryptocurrency assets. In addition to email addresses, the breach may have exposed users' phone numbers, addresses, and account passwords, which can be exploited in sophisticated attacks on recovery seeds. Users can anticipate an increase in both the number and complexity of phishing attempts, with some potentially experiencing multiple scareware attacks. If affected by the breach, Trezor users are encouraged to contact Migliaccio & Rathod LLP for assistance.

General Prevention Policies

Trezor put together a number of tips, but the largest tip is that hardware wallet users should never be entering their seed phrase anywhere except as instructed on the screen of the hardware device itself.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 1.3 1.4 1.5 Trezor - Trezor Wiki Archive April 9th, 2022 2:04:20 AM MDT (May 21, 2022)
  2. 2.0 2.1 2.2 2.3 2.4 2.5 Trezor Homepage (Feb 20, 2022)
  3. 3.0 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 Trezor - Initial Setup and Trezor Bitcoin Wallet Review - YouTube (Jun 26, 2023)
  4. 4.0 4.1 4.2 4.3 4.4 4.5 Privacy & Security - Trezor Homepage (Feb 20, 2022)
  5. Possible data breach for Trezor as users report string of phishing emails - Watcher.Guru (Jun 20, 2023)
  6. 6.0 6.1 Trezor Phishing Scam : TREZOR (Apr 2, 2022)
  7. Tomáš Kafka - "Wow, @Trezor, this is the best phishing attempt I have seen in the last few years. I am really lucky I don't have Trezor, because if I had, I would probably actually download that update." - Twitter (May 21, 2022)
  8. 8.0 8.1 josearkanos - "Hey trezor, are you aware of a phishing campaign going on? I just received this email with my actual email on it. It looked very legit." - Twitter (May 21, 2022)
  9. Trezor breach? Real or just a scam email? : Bitcoin (Apr 2, 2022)
  10. Trezor wallets hacked? Don’t be duped by phishing attack email - Graham Cluley (Jun 27, 2023)
  11. trezor - "We are investigating a potential data breach of an opt-in newsletter hosted on MailChimp. A scam email warning of a data breach is circulating. Do not open any email originating from noreply@trezor.us, it is a phishing domain." - Twitter (Jul 6, 2022)
  12. Trezor - "MailChimp have confirmed that their service has been compromised by an insider targeting crypto companies." - Twitter (May 21, 2022)
  13. Trezor investigates potential data breach as users cite phishing attacks - CoinTelegraph Archive April 3rd, 2022 4:30:56 AM MDT (Apr 18, 2023)
  14. Trezor investigates potential data breach as users cite phishing attacks - CoinTelegraph (May 21, 2022)
  15. WatcherGuru - "JUST IN: Trezor is investigating a possible data breach after several users reported an ongoing email phishing campaign." - Twitter (May 21, 2022)
  16. Possible data breach for Trezor as users report string of phishing emails - Watcher.Guru (May 21, 2022)
  17. Trezor Issues Data Breach Warning As Users Cite Phishing Attacks - Yahoo Finance (May 21, 2022)
  18. Trezor Issues Data Breach Warning As Users Cite Phishing Attacks - Yahoo Finance Archive April 3rd, 2022 5:06:26 PM MDT (Apr 18, 2023)
  19. 19.0 19.1 Trezor Cryptocurrency Wallet Data Breach Investigation - Migliaccio & Rathod LLP (May 21, 2022)