Trezor users are being coerced into disclosing their seed phrases. A new phishing campaign targeting cryptocurrency hardware wallet firm Trezor has been discovered.
These wallets enable cryptocurrency users to keep their funds offline rather than in a "hot wallet" (a mobile or desktop app) or with a third party (an exchange, a custodial service, or a lending/borrowing firm). In comparison to the alternatives, hardware wallets, also known as "cold wallets," are widely regarded as a much safer way to store cryptocurrencies.
That also implies that anyone who is serious about cryptocurrencies (and has a significant amount) will most likely keep it in cold storage, making Trezor users an appealing target for cybercriminals.
"Securing" a compromised wallet
Trezor users began receiving SMS messages warning them of a "data breach" at the company and urging them to "secure" their devices immediately under this new campaign. The SMS message also includes a hyperlink that the victims should follow.
"Trezor Suite has recently endured a security breach, assume all your assets are vulnerable. Please follow the security procedure to secure your assets: [link]," the message reads.
Anyone who clicks on the link will be directed to a bogus Trezor website with the message "Your assets may be at risk!" and a Start button where users can "secure" their assets. The recovery seed is entered as the first step in this process.
The recovery seed, which is typically a string of 12 or 24 words, is used to restore a wallet in the event that the old device is stolen or destroyed. Anyone with access to the seed phrase can restore the wallet and gain full control of the funds. If the victim enters this information into the phishing page, they are essentially giving the attackers complete access to their wallet, which they can then use to clear out any and all funds in the account.
Trezor was made aware of the new campaign and took to Twitter to warn its customers that it is being impersonated (opens in new tab) and that they should not fall for the ruse. The company also stated that it is not aware of any new data breaches, implying that the attackers obtained Trezor users' emails during the previous MailChimp incident.