An ongoing phishing campaign claims to be Trezor data breach notifications attempting to steal a target’s cryptocurrency wallet and assets.

Trezor is a cryptocurrency hardware wallet where users can store their cryptocurrency offline rather than in cloud-based wallets or wallets stored on their devices. Using a hardware wallet like Trezor adds protection against malware and compromised devices, as the wallet is not meant to be attached to your PC.

When setting up a new Trezor wallet, users receive a 12- or 24-word recovery seed that can be used to recover a wallet in the event of theft, loss, or device malfunction.

However, anyone with access to this seed can also restore the wallet to their own devices, making them juicy targets for threat actors.

Massive phishing campaign targets Trezor users

Beginning February 27, Trezor customers began receiving phishing text messages and emails stating that Trezor had suffered a data breach. These messages prompt the target to visit a listed website to secure their device.

“Trezor Suite recently suffered a security breach, assume all your assets are vulnerable. Please follow the security procedure to secure your assets: [phishing-site]“, reads the fake Trezor data breach warning messages.

BleepingComputer received one of these phishing emails. A security researcher known as Mich was also receipt and declaration the many phishing text messages they received, as shown below.

When visiting the listed domain, visitors will see a fake Trezor site stating, “Your assets could be at risk!” then prompts you to start securing your wallet.

When users click the “Start” button, they will eventually be prompted to enter their recovery seed, which threat actors will then steal.

Once a recovery seed is stolen, it’s game over for the wallet owner, as threat actors will likely quickly transfer all assets to another address under their control.

Therefore, it is essential that you never share your wallet passwords, seeds or recovery phrases with anyone or enter them on any sites.

Trezor is aware of the phishing campaign and has warned users to beware of phishing text messages and emails warning of a fake data breach. The company also states that it found no evidence of a recent data breach in its systems.

“Beware of active phishing scam! Attackers contact victims via phone, text and/or email to report that there has been a security breach or suspicious activity on their Trezor account,” tweeted Trezor.

“Please ignore these messages as they are not from Trezor.”

“We found no evidence of a recent database breach. We will never contact you by phone or text.”

Although it is unclear how threat actors are targeting phone numbers and email addresses of Trezor customers, it could be via a marketing list stolen in MailChimp breach in March 2022.

MailChimp then told BleepingComputer that the threat actors stole the data of 102 customers, most of them in the cryptocurrency and finance industries.

Threat actors quickly used Trezor’s marketing list to send a massive wave of fake data breach notifications in April 2022, leading to a site hosting a fake Trezor suite.

Once installed, this Trezor suite would prompt the user to enter their recovery seed, which was then relayed to threat actors.

Although the current phishing campaign does not use fake software, threat actors are still trying to steal your recovery seed. Therefore, as we said earlier, and it bears repeating, never share your recovery seed with anyone or on any site.