Hackers used the list of recipients of the hacked Trezor hardware wallet to send fake notifications about data leakage with the aim of subsequent theft of cryptocurrency wallets and their contents.
Trezor is a hardware cryptocurrency wallet that allows you to store funds offline, and not in the cloud or on a computer. When registering a new wallet, the user installs a so-called SID phrase – a set of 24 words that allows you to restore the wallet in case it is stolen or lost. However, it turns out that anyone who knows this seed phrase can access the wallet, so it is very important to keep it in a safe place.
Last weekend, the owners of Trezor wallets began to receive e-mail notifications about a data leak, in which they were asked to download the Trezor Suite software, which is fake and designed to steal seed phrases.
Trezor Representatives confirmed that the notifications were sent by attackers as part of a phishing attack. To do this, they used a newsletter hosted on MailChimp.
According to Trezor representatives, MailChimp allegedly confirmed that its service was hacked by an “insider” attacking cryptocurrency companies.
“We regret to inform you that Trezor has become a participant in a security incident affecting the data of 106,856 of our users, and the wallet associated with your email address was among those affected by the leak,” the fake notification said.
According to the phishing notification, the company does not know the extent of the leak, so the victim needs to download the supposedly latest version of Trezor Suite and set up a new PIN code for his hardware wallet.
The letter contained a link to a website whose name looked like suite.trezor.com . However, in fact, Punycode characters were present in it, which allowed Cyrillic letters to be used in the domain name. The real address of the Trezor website is trezor.io .
Since the Trezor Suite software is open source, the attackers downloaded its source code and created their own application that looks like the original, legitimate software. When the victim connected his device to a fake application, he was asked to enter his SID phrase, which was immediately sent to cybercriminals.