Trezor Users Targeted in a MailChimp Exploit

Popular cryptocurrency wallet company, Trezor announced investigating the email phishing campaign that targeted its users this weekend.

The compromised mailing list was used to send fake notifications of data breaches and tried to steal funds from wallets.

Phishing Attack

It all started when several users took to Twitter to reveal about receiving emails to download an app from the “trezor.us” domain. However, the official Trezor domain name happens to be – “trezor.io.” The company later confirmed that the email addresses which were compromised belonged to those users who subscribed for newsletters hosted on Mailchimp, an email marketing service provider.

The face email read,

“We regret to inform you that Trezor has experienced a security incident involving data belonging to 106,856 of our customers and that the wallet associated with your e-mail address [email here] is within those affected by the breach.”

It further asks users to download the latest Trezor Suite to set up a new seed phrase on their hardware wallet. The email also contains the “Download Latest Version” button, which directs users to a phishing site where, upon entering the seed, they will lose all the funds.

Reports also suggest that the fraudsters behind the attack also downloaded the original Trezor Suite’s source code (since it’s open-source) and created their own modified fake app to look identical to the legitimate one. The fake suite, ironically, also had a banner at the top of the screen that warned users about phishing attacks.

Trezor’s Confirmation

In a statement, Trezor disclosed that a MailChimp “insider” had carried out the phishing attack by sending malicious links to users.

“MailChimp have confirmed that their service has been compromised by an insider targeting crypto companies. We have managed to take the phishing domain offline. We are trying to determine how many email addresses have been affected.”

The crypto wallet company also asserted that it will not be communicating by newsletter until the situation is resolved and urged its users not to open any emails appearing to come from Trezor until further notice. So far, it also informed that the phishing domains – trezor(.)us and suite(.)xn--trzor-o51b(.)com – have been taken down.

The latest development comes just two weeks after crypto lending platform, BlockFi, along with Circle, Pantera Capital, NYDIG, suffered a data breach through a third-party vendor – HubSpot. The fraudster targeted individuals in the cryptocurrency industry.