[Announcement] SECURITY ALERT

:rotating_light:Security Alert !:rotating_light:

We’ve detected an unauthorized email impersonating Trezor sent from a third-party email provider we use.

If you received a suspicious email with the subject line ‘Assets undergoing upgrade’ from the ID: [email protected], please do not click any links or provide any info within.

We request you to delete that email immediately

Your trust is our priority:

  • Rest assured, your wallets & funds remain secure.
  • Remember, NEVER disclose your recovery seed.
  • Stay vigilant for phishing attempts.

Apologies for any worry caused. We’re actively handling the situation & will provide updates

Below is a screenshot of the email.


This is getting ridiculous. First my Trezor email address is stolen from Trezor. How do I know? I only use that address with Trezor. Next I receive this phishing scam email to my Trezor address. Looked legit — from noreply (at) trezor (dot) io — so I clicked on the link. Red flag: I’m taken to trezor (dot) com, not (dot) io; but there’s a slick video background, it could be the real Trezor; red flag: it’s asking for my seed, and I know I should never provide that. So I close the browser tab immediately; of course, it’s probably already too late: any self-respecting attacker would have tagged the URI in the email, so now it’s known that my email address is live and responding.

It was only when I began looking for information about the phishing attack that I found… oh look, email addresses were stolen from Trezor. I had received no prior notice from Trezor about a seven-day-old breach; not a good job notifying people, guys. I tried to contact Trezor support, but after several Cloudflare “server unreachable” messages, I wasn’t able to. So now I see this announcement, published after my incident. Trezor really needs to get in front of this, and begin broadcasting warning emails.


1 Like

Trezor must stop using third-parties for their newsletters. That’s where it came from (the phishing email). It’s a second time it happened.

1 Like

Regarding this, we only informed affected users (those you contacted support in the past), if you have not received an announcement it means your email was not affected in last week’s incident. This is a separate one.

We have made an announcement on all our socials immediately, and the separate email informing all users have been sent last night as well hours afterwards. Please, check your email if you received it.

You are not at risk just by clicking the link.

To reiterate, my email address had to have been stolen from Trezor, because I only use that address to communicate with Trezor. No one could reasonably believe that the email address I only use for Trezor was coincidentally stolen in some other way when Trezor just happened to also have a data breach.

Trezor may think that they notified everyone affected by the breach, but that is obviously false. And before you say that the notification might have been lost in my junk email folder, I administer my own email server (which is how I issue a new email address for each separate use) and I monitor the junk folder closely; I received no notification from Trezor.

The information stolen in the breach was apparently of greater volume than Trezor is aware.

Yes, hours after I clicked on the link in the email.

Wrong again. As stated in my first reply, the link in the phishing email was likely tagged. My email address is now known to be live and responsive. No, my cryptocurrency is not at risk, but there are other risks involved.


What happened here was that Trezor’s account on the platform they use to send newsletters and other customer communication (Sendinblu) was compromised. Technically, the criminals didn’t steal your email address, they simply used the newsletter platform with Trezor’s account to send out a phishing email to all of the email addresses Trezor had stored on that platform.

Now, that being said, it’s totally possible they also downloaded the contact list with all email addresses. But we haven’t seen any evidence for that yet.