Is my Trezor Wallet Compromised after clicking a malicious link?


I’m wondering if anyone has the answers to the questions. I recently have been a victim of an online scam I clicked on Twitter for an IDO launch that I thought was legitimate since it was being posted on a verified twitter account. But without thoroughly reading the fine details, I caught myself in a scam that could have been prevented if I had read the full details before approving the transaction on my Trezor. This has nothing to do with Trezors security and my own ignorance for not reading the details on the Trezor before approving.

Trezor actually prevented the hackers from draining my wallet and they were only able to get all of my ETH and LINK that I had in my wallet but then it rant out of ETH so it wasn’t able to pay for the gas fees for each token.

I’m wondering about the following:

  1. Is my Trezor compromised now since they were able to drain out two tokens?

  2. If I try to move everything out of my Metamask which is connected to my Trezor, do I run the risk of them taking all of the tokens as well?

  3. Should I replace this Trezor or am I safe as long as I review the transaction details on the Trezor before confirming?

  4. If the Trezor is compromised and I cannot move the tokens out, what are my options to transfer them safely out without being drained?

Any help would be greatly appreciated. A few lessons I learned here and I would hope no one goes through what I went through:

  1. Do not ape into anything you see on Twitter. Cross reference links before clicking anything.

  2. Thoroughly review the full details on your trezor wallet screen before approving. This could have easily been prevented if I looked at the screen of what was trying to be transferred out of my account.

Thank you.

1 Like

I forgot to add a few things:

  1. I’m currently using a Trezor Model T

  2. I never provided anyone with my seedphrase. Do you recommend I do a factory reset on the Trezor still?

Thank you

Hi @vjwong86,

First, I would like to mention that you shouldn’t send any other tokens to this address as they can be transferred out.

From your description, it looks like you gave a so-called (unlimited) allowance to a dodgy contract.

Once unlimited allowance is given to a smart contract, your Trezor device cannot protect your tokens (those for which you’ve given unlimited allowance) anymore and these tokens can be taken by the smart contract without your physical approval of the transaction on Trezor. Confirming an unlimited allowance allows the smart contract to spend all the tokens on the address without your knowledge. If you have other tokens without unlimited allowance given to some smart contract on the same address or on the other accounts/addresses they cannot be affected.

In general, the hardware wallets like Trezor are the safest way how to protect your private keys because private keys are stored offline on the hardware wallet and never leave the device. However, the problem with unlimited allowances is that no one needs to have your private keys to take the tokens from your wallet. Because of that, hardware wallets can’t offer any additional protection in this case.

You can read more about this issue in these articles:

Please, find answers to your questions below:

  1. No, if you did not provide your recovery seed, your other coins are safe. Only the tokens for which the unlimited allowance has been signed can be transferred out.
  2. No, but you definitely shouldn’t send more tokens to the ETH address that included the stolen tokens before you revoke all unlimited allowances that you signed. Please, review all your unlimited allowances on all ETH addresses you use and revoke or lower those that you’re not actively using anymore. For checking and revoking allowances these “approval checkers” can be used:

tokens on Ethereum network: Revoke, Etherscan

tokens on Binance Smart Chain: BscScan

tokens on Polygon network: Polygonscan

tokens on multiple networks: Cointool

  1. You can use your Trezor without any issues. Just make sure to revoke all unlimited allowances as mentioned in the previous answer.

  2. If you do not enter your recovery seed anywhere, your Trezor is not compromised and there is no need to factory reset the device.