Hackers Exploit Trezor Support & Launch Phishing Scam

In late June 2025, hardware wallet manufacturer Trezor issued an urgent security warning to its users about a phishing campaign that exploited their customer support platform.

Now, Trezor, like other hardware signing device manufacturers, is no stranger to data breach attacks and phishing scams. This is not the first time Trezor has come under attack; Ledger, another popular manufacturer, has also had its fair share of attacks.

This incident demonstrates how legitimate business infrastructure can be weaponised against unsuspecting users. Sadly, as much as we yell from the rooftops, “Don’t trust, verify”, trusting continues to be the default for many a retail holder of Bitcoin.

Yes, self-custody is the best security from a technical standpoint, but it doesn’t mean it’s foolproof; if you act like a fool, no security will work.

Important Update

We have identified a security issue where attackers abused our contact form to send scam emails appearing as legitimate Trezor support replies.

These scam emails appear legitimate but are a phishing attempt.

Remember, NEVER share your wallet backup — it must…

— Trezor (@Trezor) June 23, 2025

What Happened: The Attack Breakdown

The attackers discovered and exploited a vulnerability in Trezor’s automated support system, which allowed them to submit support tickets using any email address and subject line, triggering automatic responses from official Trezor systems.

This seemingly innocent feature became the foundation for a highly sophisticated phishing operation.

The attackers submitted fake support requests using email addresses associated with real users, which triggered automated replies from Trezor’s system.

These replies were then intercepted and manipulated to send phishing emails, aiming to steal wallet backups and other sensitive information.

The Technical Mechanics

The attack worked through a multi-step process that gave the fraudulent emails an air of legitimacy:

1. Data Collection: Attackers had obtained email addresses from an unknown source, likely from previous data breaches or purchased databases containing Trezor user information.
2. Support System Abuse: Using these legitimate email addresses, attackers submitted fake support requests through Trezor’s official contact form.
3. Automated Response Triggering: Trezor’s system automatically sent confirmation emails to the provided addresses, appearing to come from official Trezor support channels.
4. Subject Line Manipulation: While attackers couldn’t access internal systems, they were able to manipulate the email’s subject line despite being unable to access Trezor’s internal data.
5. Phishing Execution: The resulting emails appeared authentic, coming from Trezor’s official domain with realistic subject lines, making them extremely difficult to distinguish from legitimate communications.

We've been made aware of a malicious phishing email titled "Critical Vulnerability Notice".

This email is not from Trezor. Here’s how you know it’s a scam:

⚠️ It creates a false sense of urgency.

⚠️ It urges you to click a link and perform updates outside official channels.… pic.twitter.com/9y2dolXtQj

— Trezor (@Trezor) June 28, 2025

Leveraging Trust and Authority

Not all phishing attempts are created equal, but traditional phishing emails often contain obvious red flags like poor grammar, suspicious sender addresses, or generic messaging.

But just because an email contains no spelling mistakes doesn’t mean it’s not a scam. Scammers are willing to learn passable English for a payday. Can you imagine the nerve?

This attack was different because:

• Official Domain Usage: The emails originated from Trezor’s legitimate domain, bypassing many email security filters and user suspicion.
• Realistic Context: By using the support system, attackers created a plausible scenario where users might expect to receive communications from Trezor support.
• Social Engineering: The emails likely contained convincing narratives about account security, device updates, or wallet maintenance—topics that would naturally concern hardware wallet users.

Technical Evasion

The attack also hit differently because it circumvented several layers of protection:

• Email Authentication: Since the emails came from Trezor’s legitimate infrastructure, they passed standard email authentication checks (SPF, DKIM, DMARC).
• Security Awareness Training: Even security-conscious users might be fooled by emails that appear to come from a trusted hardware wallet manufacturer.
• Automated Detection Systems: Many anti-phishing systems rely on domain reputation and sender authentication, both of which would have appeared legitimate in this case.

The Broader Context: Previous Trezor Security Incidents

This incident wasn’t Trezor’s first encounter with security challenges. Understanding the historical context helps illustrate the evolving threat landscape:

2021-2024 Data Breach Legacy

The incident exposed the sensitive information of roughly 66,000 Trezor users who interacted with the platform’s support since late 2021. This earlier breach likely provided attackers with the email addresses used in the recent phishing campaign.

Red Flags: Identifying the Phishing Emails

Even sophisticated phishing attempts contain warning signs that alert users can identify:

Content Red Flags

• Seed Phrase Requests: Legitimate companies will NEVER ask for recovery seeds, private keys, or passwords via email.
• Urgency Pressure: Phrases like “immediate action required,” “account will be suspended,” or “limited time offer” are classic phishing tactics.
• Generic Greetings: Legitimate support communications typically address users by name or account information.
• Suspicious Links: URLs that don’t match official Trezor domains or that redirect through multiple sites.

Technical Red Flags

• Unexpected Communications: Receiving support emails when you haven’t contacted support recently.
• Inconsistent Information: Details that don’t match your actual device model, purchase date, or account status.
• Download Requests: Legitimate Trezor updates come through official channels, not email attachments.
• Form Submissions: Requests to fill out forms or enter information on non-official websites or strange-looking domains with a similar format to the official domain.

Trezor’s Response and Mitigation Efforts

Trezor confirmed that the issue has been contained and no email breach took place, adding that it is researching ways to prevent future abuse. The company took several steps to address the situation:

• Public Warning: Trezor immediately issued security alerts across multiple channels to warn users about the ongoing phishing campaign.
• System Analysis: The company conducted a thorough investigation to understand how the support system was exploited.
• Platform Modifications: Trezor began implementing changes to prevent similar abuse of their automated support system.

Protecting Yourself: Essential Security Measures for Trezor Users

• Email Verification: Always verify unexpected communications by contacting Trezor directly through their official website or phone number.
• Never Share Seeds: Under no circumstances should you provide your recovery seed phrase, private keys, or passwords to anyone via email, phone, or any other communication method.
• Official Channels Only: Only download firmware updates and software from Trezor’s official website (trezor.io).
• Enable Notifications: Set up account notifications through official Trezor channels to monitor any legitimate communications.

The Broader Implications for Cryptocurrency Security

This attack highlights several concerning trends in cryptocurrency security:

• Infrastructure Exploitation: Attackers are increasingly finding ways to abuse legitimate business infrastructure rather than relying solely on malicious domains and servers.
• Sophisticated Social Engineering: The combination of technical exploitation with psychological manipulation creates particularly effective attack vectors.
• Trust Erosion: Each successful attack erodes user confidence in legitimate cryptocurrency services, potentially hindering adoption.

Social Engineering Scams Will Continue

Over the past few months, low-skill social engineering scams have proven successful in penetrating crypto security due to their low barrier to entry.

All you need is a confirmed list of customers, and then figure out a way to reach out to the team; this could be through email, which is a mass market approach, or via a one-on-one call if you’ve already identified high-value targets.

Users who purchase hardware wallets understand the importance of technical security, but they have not been subject to penetration tests themselves. As a result, while hardware wallets are generally very secure, a phishing attack can still lure users into bypassing protections.

Scammers will find ways to lower your guard.

Everyone Wants your Bitcoin; NEVER Forget it

This incident serves as a crucial reminder that in the Bitcoin space, vigilance must be constant and comprehensive. If you want to self-custody, you must remain vigilant at all times. Users cannot rely solely on traditional security indicators, such as sender authentication or domain reputation. Instead, a zero-trust approach to all communications involving cryptocurrency assets is essential.

The key takeaways from this incident are clear: Never share recovery seeds or private keys through any communication channel, not even to the spirit of your dead grandmother. Also, always verify unexpected communications through official channels before taking action.

When it comes to social engineering attacks, doing nothing is always the best move; go slow and take a breather before you jump to any conclusions.

Remember: With self-custody, you are your own bank. With that freedom comes the responsibility to maintain the highest standards of security awareness and practice. Stay informed, stay suspicious, and never compromise on security for the sake of convenience.