Users of Trezor hardware cryptocurrency wallets have become the target of the newest sophisticated email phishing campaign, which itself involved a social engineering breach of the major email marketing platform Mailchimp and stealing its client data.
In the attack, cybercriminals deployed an internal tool to acquire information about 102 Mailchimp clients, one of which is the cryptocurrency cold storage provider Trezor, Mailchimp confirmed to the press on Monday, April 4, as reported by The Verge.
After that, they mass-emailed Trezor users over the weekend, claiming their accounts were compromised in a data breach and that they had to update their Trezor Suite, as well as set up a new PIN:
“Trezor has experienced a security incident involving data belonging to 106.856 of our customers, […] If you’re receiving this e-mail, it’s because you’ve been affected by the breach. In order to protect your assets, please download the latest version of Trezor Suite and follow the instructions to set up a new PIN for your wallet.”
The company also detailed what exactly had occurred in a blog post, where it quoted its CTO Tomáš Sušánka as saying:
“We immediately took steps to disable phishing sites and are taking further steps to stop the continuation of this phishing attack.”
Additionally, Trezor said that users had nothing to worry about unless they entered their seed phrase into the downloaded malicious app.
Not the first hacking experience for Trezor cold wallets
Interestingly, Finbold reported in January on Dan Reich, an electrical engineer who managed to recover his digital assets worth more than $2 million in a Trezor One hardware wallet after losing his PIN. Reich explained the entire process in a detailed YouTube video.
Trezor later commented on the video, explaining that it had fixed the exploit he used:
“Hi, we just want to add that this is an outdated exploit that is not a concern for current users and that we fixed in 2017 right after a report that we received through our responsible disclosure program. This attack requires full physical access to the device, and there is no record of any funds being compromised.”
As offline physical devices, hardware crypto wallets are considered very difficult to hack using malware and viruses and thus one of the safest ways to hold one’s DeFi assets. However, they’re still vulnerable to elaborate social engineering campaigns that trick users into revealing sensitive information.