Cyber Incident Victim: Trezor
Date:
Jun 2018
Location:
United States of America
Summary
A phishing attack targeted users of a cryptocurrency wallet service by redirecting legitimate traffic to a malicious server impersonating the official web wallet portal. The incident involved DNS poisoning or BGP hijacking, triggering invalid HTTPS certificate warnings that alerted the community. The fraudulent site displayed inconsistent error messages and attempted to steal recovery seeds—sensitive codes never requested by the legitimate service—potentially enabling account compromise. The malicious server was taken down through coordination with the hosting provider, though the extent of any stolen funds remained unclear at the time. This followed a similar pattern to previous attacks exploiting routing infrastructure vulnerabilities against cryptocurrency platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 30, 2018, users of the Trezor hardware cryptocurrency wallet service began encountering invalid HTTPS certificate warnings when attempting to access the official wallet.trezor.io web portal. These certificate errors indicated potential redirection to a fraudulent website impersonating Trezor’s legitimate interface. The Trezor community promptly reported these anomalies to the company’s security team, which confirmed by early Sunday morning (US timezones) that a phishing attack was underway. Initial technical evidence suggested DNS poisoning or BGP hijacking as the likely attack vectors, though the exact mechanism remained under investigation. Attackers had successfully intercepted traffic destined for wallet.trezor.io, redirecting victims to a malicious server hosting a replica site designed to harvest sensitive credentials.
The fraudulent website displayed subtle discrepancies that alerted vigilant users, including an error message during wallet synchronization that deviated in wording from Trezor’s authentic interface. Crucially, the phishing site prompted users to input their recovery seed—a cryptographic master key—directly into the webpage, contravening explicit warnings in Trezor’s official documentation for its Model One and Model T devices. Trezor’s manuals explicitly instruct users never to enter recovery seeds anywhere except directly on the hardware wallet itself, making this request a definitive indicator of compromise. Upon confirming the attack, Trezor’s team collaborated with the malicious site’s hosting provider to swiftly take down the fraudulent infrastructure. The company issued public warnings reiterating security best practices but could not immediately determine whether attackers had successfully stolen funds or quantify potential losses. This incident bore technical similarities to an April 2018 BGP hijacking attack against MyEtherWallet.com, where threat actors rerouted traffic through compromised Amazon routes to steal cryptocurrency credentials.