Hardware cryptocurrency wallet provider Trezor has issued a warning to its users about a new phishing attack targeting investors’ crypto investments. On February 28, Trezor took to Twitter to alert users of an active scam that tries to steal private keys by asking them to enter their wallet’s recovery phrase on a fake website. The company urged users to remain vigilant and not to share their recovery phrases with anyone.
The phishing scam
Trezor Suite has recently been targeted in a phishing campaign by attackers pretending to be Trezor, who are contacting victims via phone calls, texts, or emails claiming that their Trezor account has experienced a security breach or suspicious activity.
These messages urge users to follow a link that purports to “secure” their device; however, Trezor has emphatically stated that these messages are not from them and should be ignored. Furthermore, no evidence of a database breach has been found. As such, any communications from Trezor will only come via official channels and never over unsolicited phone calls or SMS messages.
On February 27, this phishing attack targeting Trezor customers was reported online. The scam directed users to a malicious website that posed as the official Trezor page, prompting them to enter their recovery seed and click the “Start” button to secure their wallet. The fraudulent domain contained an expertly crafted replica of the legitimate Trezor website.
Clicking the “Start” button will prompt users to enter their cryptocurrency wallet’s recovery phrase, also known as private keys. Private keys are essential for self-custody, which is a way of “being your own bank” by storing crypto on a non-custodial software or hardware wallet. The security of private keys is paramount, as any theft of the phrase will strip the original owner of their crypto holdings.
Phishing attacks in the crypto industry
On February 26, metaverse firm The Sandbox suffered a data breach that resulted in a phishing email sent out to users. This latest attack against Trezor customers is not an isolated incident as the wallet provider was already targeted with similar attacks in April 2022. At this time, scammers posed as Trezor representatives and asked users to download a fake Trezor app. Unfortunately, this kind of attack is not exclusive to Trezor either. In 2020, competitor Ledger experienced a major data breach that resulted in the public exposure of personal information belonging to over 270,000 of its customers.