Late night yesterday, our Support Team started receiving inquiries about an invalid SSL certificate, which serves as a stamp of authenticity of our web services. This can happen for a few reasons, some of which are less serious. Unfortunately, after investigating these reports closer, we found out that the invalid certificate warning appeared because of phishing attempts against Trezor users.

The fake Trezor Wallet website was served to some users who attempted to access wallet.trezor.io — the legitimate address. We do not yet know which attack vector was used, but the signs point toward DNS poisoning or BGP hijacking.

Upon accessing the web, the fake Wallet displayed an alert about device memory damage, asking users to restore their recovery seed. This was the second red flag, as the sentence contained errors.

Fake Trezor Wallet website with “Not secure” warning and incorrect English.

The third red flag was the method of recovery (seed check) — the fake site forced users to enter both the order number as well as the seed word into the computer.

Trezor One: You should never enter your recovery seed on a computer, along with the order number. The order is always given to you by your Trezor device. Never by the computer. For enhanced security, use the Advanced recovery method→ Trezor Model T: You should never enter your recovery seed anywhere but on your Trezor device. Under no circumstances should you enter your seed on a computer.