Disturbing news @jooliver. It’s the first time I’ve heard of such a recent hack and I don’t know if it’s still a valid method or not, but as far as I can see this method requires that the hacker need physical access to the device. Typically someone who buy a device (new or used) and then sell it again as used after they’ve written their own code to the device. You should therefore never buy used hardware wallets like Trezor.
I think I’ll leave this to Developer @matejcik to answer further. I don’t know much about how Trezor works internally.
This is a year old news item, based on a security flaw in the Trezor One that was fixed in a firmware update five years ago.
Apart from requiring a Trezor One that has not been updated since early 2018, this hack requires taking the Trezor apart, soldering things to it, and generally having the skills of a pro hardware hacker.
It has absolutely nothing to do with the topic here, unfortunately.
where did you buy the hardware wallet?
what model?
what firmware version?
who had physical access to the Trezor wallet?
where and how did you save the seed phrase yourself?
in my case it was firmware 2.5.3,
even after the update, bootloader 2.0.5 did not give me the opportunity to install the original firmware and made it possible for a hacker to steal my tokens.
approximately 3 feb 2023
approximately my loss was 33000$
I find it extraordinary that Trezor when contacted about my unauthorized transactions first advice was, ‘get whatever is left in the cold wallet out’. Too late advice however also interesting is that Trezor did not ask for the transaction data, not their problem obviously. The more I visit the community the more cases of unauthorized transactions shows up. I bought the cold wallet from the Trezor site, the seal was intact when I received it, my seed words were not compromised, no one else had access to my physical device. It was hacked plain and simple yet Trezor continues to sell their product unchallenged. I guess $21,000 Canadian is small potatoes to them.
The OP in this topic bought a counterfeit device from unauthorized seller, and in general only way for funds to be transferred is that the seed was compromised.
The hack posted above is years old and issue fixed.
Not true I bought the device from Trezor’s authorized site. The device was sealed when it arrived. I would imagine this thief is very familiar with Trezor code.
Since each transaction must be signed by using private keys of the respective address and considering the fact that Trezor has never been hacked remotely and it’s designed not to reveal private keys (essential for creating a transaction) to anyone, not even to you even if it’s needed (this statement can be verified and audited by anyone since our device is fully open-sourced), there basically 2 scenarios of what can happen:
Either some 3rd person used your Trezor physically for confirming the transaction
Your private keys (represented by your recovery seed) were compromised and the attacker used them to sign the transaction. This is possible since you can recover your wallet including your private keys by performing a recovery with a compatible wallet.
I just logged in to the suite and realized that there has been 2 unauthorized transactions. Balance is now $0.
Bought device from Trezor’s site
Seal was intact.
Have not share my seed w anyone.
Trezor is store at home.
I need help!