The hardware wallet manufacturer is urging its customers not to open any emails that are sent by email@example.com.
Scam emails pretending to be from Trezor have been sent over the weekend — with one recipient describing the message as "the best phishing attempt I have seen in the last few years."
The hardware wallet manufacturer is urging its customers not to open any emails that are sent by firstname.lastname@example.org — and on its official Twitter account, the company confirmed this was a phishing domain.
Trezor said that mailing lists for an opt-in newsletter hosted on MailChimp appear to have been compromised, adding:
"MailChimp have confirmed that their service has been compromised by an insider targeting crypto companies. We have managed to take the phishing domain offline. We are trying to determine how many email addresses have been affected."
The company added that it is going to stop communicating via newsletter until further notice — and urged customers to "ensure you are using anonymous email addresses for Bitcoin-related activity."
Contents of Trezor Scam Email Revealed
Twitter user Tomáš Kafka shared a screenshot of the phishing email that he received on Saturday, and wrote:
"I am really lucky I don't have Trezor, because if I had, I would probably actually downloaded that update."
The message greeted him by his first name and claimed that Trezor had "experienced a security incident involving data belonging to 106,856 of our customers." It went on to warn that the wallet associated with his email address was compromised.
Chillingly, the email went on to claim that his cryptoassets were at risk of being stolen, adding:
"In order to protect your assets, please download the latest version of Trezor Suite and follow the instructions to set up a new PIN for your wallet."
A big green button then invites users to begin the download — and it's almost certain that those who did would have seen their accounts drained.
Phishing emails are often riddled with typos, lack personal information, and come from a questionable domain. But what's especially concerning about this attack is that most users would have assumed the trezor.us website was genuine unless they performed some further checks… and it was word perfect.
Unfortunately, Trezor's brand has been used to orchestrate a plethora of scams in the past.
Last year, fake apps purporting to belong to the hardware wallet brand appeared on Apple's App Store — and reports at the time suggested one victim lost Bitcoin worth $600,000.