The Binance hack once again highlighted the dangers of storing funds on exchanges. Following the hack, hardware wallets like Trezor saw a surge in demand as users scrambled to move funds off exchanges. Given the influx of new Trezor wallet users, it would be a good time to highlight scams targeting them such as fake Trezor wallets.
Trezor is a giant in the cryptocurrency space. Unless you have been living under a rock, you would have heard of them. We use Trezor ourselves and it is a great product. Unfortunately, being such a popular cryptocurrency wallet makes it a target of scammers. Naturally, there have been many scams targeting Trezor wallet users including fake Trezor wallets. Given the difficulty of hacking hardware wallets, scammers have focused their efforts on the weakest part in any security model.
The end user.
YOU.
Below we discuss some scams that have targeted Trezor wallet users.
Scam 1: Fake Trezor wallets
Some scammers create imitation Trezor wallets like the one below.
And then there are some that go a step further and create their own versions of the product, like the “Trezor Mini”.
The site has been taken down but you can view the archived version here.
While the Trezor Mini team had a slick looking website, many aspects were fishy. Firstly, pricing for the model was not indicated anywhere. Also, users had to input their contact details for a member of the sales team to get in touch with them. Introducing so much friction into the sales process just seemed odd.
How to avoid such fake Trezor wallet scams?
Here are some precautions you can take to avoid this hardware wallet scam. The fact that many of these recommendations are influenced by a user’s personal preferences is not lost on us. At the end of the day, this is crypto. You are your own bank. You are free to decide what security measures to take to protect your funds.
- Check the holograms on the packaging and verify the contents of your package.
- Only buy your wallets directly from Trezor. Would we buy from Trezor’s authorized resellers? We personally wouldn’t and would buy from an authorized retailer only if Trezor didn’t ship to our location. Also, never get them from Amazon as there is a risk of inventory commingling. By purchasing your wallet directly from Trezor, you can be certain the device is genuine.
We had reached out to Trezor for comment on this and their community manager Bach Nguyen had kindly helped us out. In relation to the issue about not buying from authorized resellers due to uncertainties over their reputation, Trezor stated that they “are planning to revamp our internal system, changing the conditions for earning the title “authorized reseller”. This should overall improve the pool and quality of resellers.”
On the issue of inventory commingling on Amazon, this was Trezor’s reply. “If you are concerned, buy directly from Trezor. But this does not mean that we are not addressing these concerns, as we understand Amazon is a vital marketplace, especially for the US market. We are already working on cleaning up the Amazon market, and will soon enroll in the Amazon Transparency program. From that moment on, only Trezors sent directly from our warehouse will be sold under our official listing.”
Tldr; just buy direct from Trezor and have a peace of mind.
- Do not buy second-hand Trezor wallets. What little savings you achieve would be more than outweighed by the risk of getting scammed.
- Some sellers also offer Trezor wallets preloaded with cryptocurrencies. Sellers of such wallets know the recovery seeds to access your funds. As such, there is a risk that they can steal your funds even before you have the chance to move them. In short, there is never a good reason to buy hardware wallets with funds in them. (thanks to redpola for highlighting this to us).
- Understand that you must always generate your recovery seed and pin codes on your own. Your recovery seed card should thus come blank. If your Trezor wallet comes with an already completed recovery seed card, reset your device and contact Trezor support about this.
Scam 2: Fake software
A website called Trezorkit.com offered users download links to fake Trezor software. This software turned out to be ransomware.
How to avoid such fake Trezor wallet scams?
- Only download software from the links provided on the official Trezor site.
Scam 3: Fake websites/advertisements
Here are some examples of websites that claim to be the official Trezor website. We could not access these sites to determine their motives. However, it is clear you should never enter such sites.
Best case scenario? It was an affiliate marketer seeking to increase commissions by claiming to be the real site.
What is more likely to happen is that you land on a scam website and get phished.
In the image above, scammers managed to carry out a BGP hijacking / DNS poisoning attack. In such attacks, they are able to redirect users to another version of the website even if the user enters the correct website address. As seen from the image above, the address bar reflects the correct URL. However, something is obviously wrong as the site asked for the user’s recovery seed. Users were met with the following screen after they selected the number of words in their recovery seed.
How to avoid such fake Trezor wallet scams?
- Ensure the site you are visiting has a valid certificate. Look for the lock symbol in the address bar. Doing so protects you against the BGP hijacking / DNS poisoning attacks we saw earlier.
- Never enter your recovery seed into a device other than your hardware wallet. Hardware wallets shield your recovery seed such that they never have to make contact with your mobile phones or computers. When sending or receiving funds, the recovery seed / private keys never leave your Trezor wallet. Only your signed transaction leaves the device. By inputting the seed into a computer or mobile phone, you make it susceptible to theft from malware on those devices. And in doing so reduce the security of your funds tremendously.
- Bookmark relevant sites and access them through the bookmarks. Typing or Googling them each time increases the possibility of landing upon a scam website. For example, you may mistype a letter in the URL and end up on a phishing website.
- Consider downloading an extension like the Alexa toolbar. The extension is free. It shows you how popular a website is. A scam website would have very poor metrics and reviews. Thus, when you enter a fake Trezor website, you can instantly tell something is wrong.
- Unleash your wrath on these scam websites. So you nearly got scammed and now you are out for blood. You want these scammers to pay. What can you do? First, you can report them to Google (phishing sites or malware sites) and watch them drop off Google’s index. Also, you can go a step further and report them to their domain registrar. A domain registrar is a company who registered the scammer’s domain name for them. We would use Google as an example. To find out Google’s domain registrar, we run them through Whois. As shown from the results below, Mark Monitor is the site registrar. Also, we see that abuses can be reported to abusecomplaints@markmonitor.com.
Scam 4: Fake apps
Scammers use these apps to trick users into providing their recovery seed or private keys. Sometimes these apps appear harmless at first. However, their developers could easily update them with a malicious payload. If you want to read more about what the above app does, see this article by Android security researcher Lukas Stefanko.
So how could you tell the app was fake? The scammer had taken many steps to make the app appear legitimate. For one, Trezor Inc was reflected as the developer. Unless you knew that the real Trezor app was offered by SatoshiLabs, you could have easily fallen for it. Furthermore, the scammer had used Trezor’s official site and support email in the Developer section.
How to avoid such fake Trezor wallet scams?
- Check the following areas:
- Ratings and reviews. Frequent complaints about getting scammed would indicate a fake Trezor wallet.
- Developer information. As explained above, this is not foolproof. But it certainly helps weed out lazy scammers who are not meticulous.
- The number of downloads. Popular cryptocurrency wallets like Trezor should have a large number of downloads. The app above had only 50+ installs which is an instant red flag.
- Report fake apps. In the Google Play store, users can select “Flag as inappropriate” to report malicious apps. This would alert Google to remove the app and reduce the number of victims falling for them.
Scam 5: Fake support
The internet is littered with examples of fake Trezor customer support.
Scammers would find ways to steal funds after being contacted. For example, they could trick users into revealing their recovery seed. We are also aware of scammers requesting TeamViewer access to “diagnose issues”. Once they have gained access, the scammers proceed to transfer the user’s funds to their own wallet.
How to avoid such fake Trezor wallet scams?
- If you need help with your Trezor, submit a ticket through their Support Center. There are no other ways of contacting them.
- Some scammers reach out to their victims instead of waiting to be contacted. So beware of messages you receive on social media or email.
Scam 6: Fake jobs (LOL woot?)
This isn’t exactly a Trezor wallet scam. However, we included it as it was interesting. Basically, the scammers offered jobs to work for Trezor. They conducted interviews by phone (audio only, no video) and subsequently extended an employment offer. However, they also asked users to submit personal identification documents. Such documents could have easily allowed scammers to impersonate their victims online.
How to avoid such fake Trezor wallet scams?
- Check the email domains of the person you are corresponding with. In this instance, the scammer had used an email called nelsoneddie@satoshilabs.in.au.
Other scams
The following scams targeted users of other cryptocurrency wallets such as Ledger. Since they could equally happen to Trezor users, we would be discussing them too.
Fake recovery seed instructions
This is an example of a supply chain attack. Scammers buy the Ledger Nano S, insert the fake recovery seed instructions and then sell it to users. Users who then set up their wallets using the seed phrase provided would have their funds stolen. This is because scammers can use the seed phrase to gain access to the users’ funds.
How to avoid such fake Trezor wallet scams?
- You can easily avoid such scams by getting your Trezor wallet direct from Trezor’s website.
Clipper apps
Such malware target cryptocurrency users when they are sending funds or receiving them. It detects addresses copied and replaces them with those belonging to the scammer. Thus, a victim ends up pasting the incorrect address when processing their transactions and funds get sent to the scammer. Scammers have a large inventory of addresses they previously generated so the address pasted by the user can bear similarities to the user’s intended recipient.
How to avoid such fake Trezor wallet scams?
- Verify the address in full. Partial verification increases the risk of funds getting sent to the wrong address.
- Always verify transaction details on your Trezor device. Your Trezor desktop application can be compromised so what you see on your computer screen can be manipulated. Hardware wallets like Trezor are more secure and are much harder to compromise. Thus, always perform verification on your Trezor hardware device.
Conclusion
Security is a never-ending battle between good and evil. Hopefully, this article has raised your awareness about fake Trezor wallets and other scams.
Want to read more about Ledger wallet scams? Click here to read our article on it. Scams that target Ledger users could likewise affect Trezor users. To learn more about staying safe while using cryptocurrency wallets, see our article on cryptocurrency wallet security.
Disclaimer: this article does not attempt to nor does it claim to cover ALL fake Trezor wallet scams. Scammers are constantly seeking new and novel ways to fool cryptocurrency wallet users so it is impossible to keep track of them all.
If we missed a scam that you feel our readers should know about, shoot us a comment below. We would update the article for it.