[PSA] Phishing Alert: Fake Trezor Wallet website
Late night yesterday, our Support Team started receiving inquiries about an invalid SSL certificate, which serves as a stamp of authenticity of our web services. This can happen for a few reasons, some of which are less serious. Unfortunately, after investigating these reports closer, we found out that the invalid certificate warning appeared because of phishing attempts against Trezor users.
The fake Trezor Wallet website was served to some users who attempted to access wallet.trezor.io — the legitimate address. We do not yet know which attack vector was used, but the signs point toward DNS poisoning or BGP hijacking.
Upon accessing the web, the fake Wallet displayed an alert about device memory damage, asking users to restore their recovery seed. This was the second red flag, as the sentence contained errors.
The third red flag was the method of recovery (seed check) — the fake site forced users to enter both the order number as well as the seed word into the computer.
Trezor One: You should never enter your recovery seed on a computer, along with the order number. The order is always given to you by your Trezor device. Never by the computer.
For enhanced security, use the Advanced recovery method→
Trezor Model T: You should never enter your recovery seed anywhere but on your Trezor device. Under no circumstances should you enter your seed on a computer.
So how should I recognize the original Trezor Wallet?
First of all, look for the “Secure” sign in your browser’s address bar. If the certificate is invalid, your browser will warn you, and you should heed the warning. (Make sure you are accessing the correct URL: wallet.trezor.io)
Secondly, always verify all operations on your Trezor device. You should only trust the device display and what is written on it. For other sources of information, always maintain a healthy amount of skepticism.
Thirdly, never divulge sensitive or private data to anyone. This includes us at SatoshiLabs. We will never ask you for your recovery seed. Trezor Wallet will never ask you for your recovery seed. Only your Trezor device may, but it will do so securely.
We would like to thank everyone for their cooperation while we investigate this issue further. Special thanks go to our users, who reported this immediately. We will continue to do our best to figure out the cause and make sure to minimize the impact on you.
At this moment, the fake Wallet has been taken down by the hosting provider. However, you should remain vigilant and report all suspicious sites. It is possible that this attack method will be used repeatedly in the future.
Trezor Model T is the next-generation hardware wallet, designed with experiences of the original Trezor in mind, combined with a modern and intuitive interface for improved user experience and security. It features a touchscreen, faster processor, and advanced coin support, as well as all the features of the Trezor One.
Trezor One is the most trusted and ubiquitous hardware wallet in the world. It offers unmatched security for cryptocurrencies, password management, Second Factor, while maintaining an absolute ease-of-use, whether you are a security expert or a brand new user.
SatoshiLabs is the innovator behind some of the most pivotal and influential projects with Bitcoin and cryptocurrencies, mainly Trezor, the world’s first cryptocurrency hardware wallet, or CoinMap.org, the primary resource for bitcoin-accepting venues.