Open in app

Sign up

Sign in

Write

Sign up

Sign in

Trezor security alert: Stay vigilant against an unauthorized email and continued phishing attempts

SatoshiLabs
Trezor Blog
Published in
5 min readJan 25, 2024

--

We are issuing a warning regarding a security incident involving an unauthorized email that was sent out to our newsletter database on 24th January 2024. The email impersonated Trezor, and was sent from a third-party email service provider we use.

Note: While the recent incident differs from the one we encountered on January 17th, involving unauthorized access to the third-party support ticketing portal we use, it is possible that we are being targeted by skilled hackers on a larger scale. We are closely monitoring both incidents and cannot draw any conclusions for now.

Detailed information

We continue to investigate the matter. Here is a summary of the incident, actions taken, and recommendations we can make as of now.

Summary of the incident

The phishing email with the subject line ‘Assets undergoing upgrade’ was sent out to our newsletter subscribers. The email was dispatched using a third-party email service provider we use. The phishing email fraudulently prompted users to disclose their seed phrase via a malicious link. Our team was swift to deactivate the link and secure our newsletter database from further unauthorized access. We have verified that this was a standalone event impacting only email addresses from our newsletter database.

We are conducting a rigorous investigation and taking measures to limit the impact of this incident. However, the risk of phishing attacks remains elevated and we cannot overstate the importance of vigilance.

Things we’d like to highlight:

  • The email was sent out to users who signed up for our newsletters.
  • It was sent on 24th January with the subject line — Assets undergoing upgrade — and was sent from noreply@trezor.io.
  • If you have entered your recovery seed in any form, particularly one that was sent via email, it is crucial to transfer your funds to a new wallet immediately.
  • If you have not disclosed your 12 or 24-word recovery seed through any online form, your assets remain secure.

Timeline of events

  • The attack commenced with the compromise of a third-party service provider’s system, utilized by Trezor for newsletter email communications only.
  • Users received emails with the subject ‘Assets undergoing upgrade’ from a legitimate Trezor email address.
A screenshot of the unauthorized email
  • We swiftly managed to deactivate the malicious link within the email, and limited the reach of the threat.
  • We immediately notified our user base through various channels, including our official social media channels, warning them of the fraudulent activity. We have sent out an email to the affected user base alerting them to the situation.

Important actions for users

Urgent action required for affected users:

If you have entered your recovery seed in any form, especially one linked from the phishing email, it is imperative to transfer your funds to a new wallet without delay.

For detailed instructions on how to safely transfer your assets, please refer to our knowledge base article,

Recovery seed phrase has been compromised: moving funds to a new wallet

How to move your crypto to a wallet with a new recovery seed if your original seed phrase has been compromised.

trezor.io

If you need any help in doing so, please reach out to our customer support.

If you have not engaged with the suspicious email, no further action is required, although we recommend remaining alert for potential phishing attacks.

Please note, that if you have clicked the link within the email, but not entered your recovery seed phrases in any form, you are not required to do anything. Your funds remain safe.

Security reminder for all of our users

Keep your recovery seed safe. For users who have not disclosed their 12 or 24-word recovery seed through any online form, your assets remain secure. It’s important to remember never to share your recovery seed online.

Treat emails that prompt you to take immediate action with suspicion, especially those asking for personal information. Cross-reference email content with official Trezor communication on our social channels.

Proactive measures we recommend

Do not enter your recovery seed anywhere unless in your Trezor device upon recovery. Under no circumstance will any Trezor representative seek your recovery seed, over email, customer support, website, or any form of communication.

Users who are uncertain about the proper behavior of their wallet are more than welcome to contact our support at https://trezor.io/support.

Never share your recovery seed with anyone. If you receive any communication that asks for your seed phrase, it’s likely a phishing attempt, and we ask that you contact our official support channel.

Looking ahead

We apologize for any concern this may have caused you. Our team is actively handling the incident and further updates will be provided as necessary. We assure you that we will continue to work hard to enhance our security practices even further. Regrettably, as was the case with the support desk portal incident, dependence on and governance of third-party service providers are pervasive challenges of modern-day business.

We alert you to exercise the utmost caution with any email communication claiming to be from Trezor. Your Trezor hardware wallet has in no manner been compromised, and your assets remain safe, as long as your recovery seed remains undisclosed. Do not share your seed phrase with anyone, and be wary of any unusual or suspicious contact attempts.

Again, we express our deep regret for this incident and the concern it may have caused.

We thank you for your continued trust in Trezor.

For any concerns, or questions, or to report suspicious activity, please reach out to our support team.

FAQs

  • Is it related to the support security incident from 17th January?

While the recent incident differs from the one we encountered on January 17th, involving unauthorized access to the third-party support ticketing portal we use, it is possible that we are being targeted by skilled hackers on a larger scale. We are closely monitoring both incidents and cannot draw any conclusions for now.

The phishing email sent on the 24th January was by an unauthorized individual who accessed our database containing the email addresses of our newsletter subscribers and sent an email using our domain through the third-party email service we use. No other data was compromised. We immediately restricted access to all unauthorized actors.

  • Who was affected by this phishing attack?

This security incident affected the email addresses of all users who subscribed to our newsletter. No other data was compromised.

  • How come the phishing email was sent from Trezor’s official email address?

This phishing email was sent by an unauthorized individual who accessed our 3rd-party email service and sent the email through it.

  • Why do you use 3rd party providers?

While we aim to handle most operations internally, the practicalities of managing every aspect of our business internally make it unfeasible. A company of our size and global presence, unfortunately, needs to rely on third-party providers due to the challenges of operating efficiently at such a scale.

--

--

SatoshiLabs
Trezor Blog
Follow

Written by SatoshiLabs

12.2K Followers

Innovating since we founded the industry in 2013 with production of the first crypto hardware wallet, the Trezor One. Open-source, secure, community-driven.

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams