Trezor issues security alert after contact form exploit used in phishing scam

Crypto hardware wallet provider Trezor has issued a security caution to its users, warning of a new tactic being used by malicious actors to impersonate the company and phish for sensitive information.

In a post on June 23 via social media platform X (formerly Twitter), Trezor warned users that it has identified a security flaw where attackers abused its contact form to send scam emails appearing as legitimate Trezor support replies.

According to the wallet provider, the scam emails appear authentic but are phishing attempts by malicious actors preying on unsuspecting users to obtain sensitive information and compromise their accounts. 

Clarifying the situation, Trezor confirmed there was no breach of its internal email systems. Instead, the attackers submitted support requests using the email addresses of targeted users. This triggered Trezor’s automated system to send what looked like valid support replies, adding a layer of credibility to the phishing messages.

Trezor emphasized that the issue has been contained and said it is continuing to investigate while rolling out additional safeguards to prevent future incidents.

However, this is not the first time Trezor has been targeted. Back in January, the firm flagged an incident in which attackers accessed its newsletter subscriber email database and used a third-party service to impersonate the Trezor team, sending out malicious emails to users.

The repeated incidents have drawn scrutiny over Trezor’s security levels. Recently, researchers from Ledger Donjon, the security division of rival wallet maker Ledger , raised concerns over the Trezor Safe models, warning that they may not offer full protection against sophisticated attacks.

Trezor is now urging users to stay alert and follow strict security practices to keep their assets safe.

“Remember, NEVER share your wallet backup — it must always stay private and offline. Trezor will never ask for your wallet backup,” it warned.