Malwarebytes says Trezor is connecting to suspicious site

block · March 10, 2022, 4:56pm

While my Trezor was connected to my computer and Trezor Suite was open, MalwareBytes displayed a notification saying a Trezor suite file was attempting to connect to a suspicious IP address and was blocked. When I researched the IP address provided: [80.67.167.81] it shows up as high risk on the service maxmind.

Any thoughts on what this is or how to handle it?

Here are the details provided by Malwarebytes

Malicious Website: 1

, C:\Users\pcd-G5\AppData\Local\Programs\Trezor Suite\resources\bin\tor\tor.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-

Category: Malware

Domain:

IP Address: 80.67.167.81

Port: 443

Type: Outbound

File: C:\Users\pcd-G5\AppData\Local\Programs\Trezor Suite\resources\bin\tor\tor.exe

Petosiris · March 12, 2022, 11:09pm

Is this Trezor Suite for desktop or Trezor Suite for web? Try to disable Tor in Trezor suite and see if Malwarebytes likes that better. It’s possble a virus has infected your copy of Tor, but I think it’s more likely Malwarebytes is wrong. Try checking with other malware software and also do a virus scan of your PC.

Edit: I also get a warning in Bitdefend on that IP you posted. What site were you supposed to go to? Be careful and check the site’s address again. It may be a phishing site.

block · March 14, 2022, 2:51pm

I use Trezor Suite desktop. In the settings, I see a different Tor address: 127.0.0.1:9050
I guess I’ll disable Tor, but at this point I am left with an uneasy feeling my computer is infected with something malicious. Starting to feel like Ted K.