An exploit of MailChimp’s newsletter database has resulted in Trezor users being targeted by a malicious phishing scam. The compromise was allegedly perpetrated by a MailChimp “insider,” Trezor reported.
Trezor is a hardware crypto wallet provider, meaning anyone can use Trezor to put their crypto into “cold storage.” Putting crypto in cold storage takes it offline; usually, this is to secure it from cyber theft.
The wallet provider gives users a recovery seed of between 12 and 24 words that allows them to recover the wallet’s contents if their physical device is lost or stolen. However, should an attacker discover this seed, they can gain access to the wallet (and the crypto holdings) without needing the device.
On Sunday, Trezor tweeted that it was “investigating a potential data breach of an opt-in newsletter hosted on MailChimp” and told users to “not open any email originating from noreply@trezor.us, it is a phishing domain.”
Shortly after, Trezor confirmed that MailChimp had “been compromised by an insider targeting crypto companies.”
In a short thread, the company explained that it had “taken the phishing domain offline” and “will not be communicating by newsletter until the situation is resolved.”
Yesterday, Trezor shared a follow-up blog post about the phishing attacks. It describes them as “ongoing” and includes screenshots of the malicious phishing email. The post also contains guidance for affected users.
It is currently unclear whether any funds have been successfully stolen in the scam.
Crypto not immune to phishing attacks
Despite its promises of advanced security, Web3 is not immune to attacks.
Phishing attacks are relatively easy for cybercriminals to pull off because if the phishing site or correspondence looks convincing, users can involuntarily end up sending their details to malicious actors. In the Trezor case, the actor was a Mailchimp “insider.”
Last month, several users of the popular NFT marketplace OpenSea reported having NFTs and Ethereum stolen from their wallets in an attack that looted $1.7 million in crypto.
OpenSea CEO David Finzer said the team doesn’t “believe it’s connected to the OpenSea website” and that some 32 users had “signed a malicious payload from an attacker” that looked like official correspondence but was a phishing scam.
And last week, the price of ApeCoin sank 8% after Bored Ape Yacht Club’s Discord channel was compromised in a phishing scam.
The BAYC team’s Twitter account told users to “not mint anything from any Discord right now. A webhook in our Discord was briefly compromised.”
The best of Decrypt straight to your inbox.
Get the top stories curated daily, weekly roundups & deep dives straight to your inbox.
