My Trezor One was somehow hacked, possibly via MetaMask but I’m not sure. There’s a direct correlation to my Trezor being plugged in and tokens being withdrawn. I have lost 90% of what was on the Trezor and want to connect with someone from customer support
where did you buy it ?
no one can hack the device by using third part wallet !
tell me how you used it
bought from Trezor, about 3 1/2 years ago. I have it set up with MetaMask for more security when interacting with Defi and Staking dapps. I was told on the Trezor reddit forum that a malicious smart contract could potentially lead to the Trezor being hacked. I didn’t think this was possible with the PIN entry as well as the need to press physical buttons to approve.
Is your token stored in the suite wallet or in the metamask wallet?
It is best to have a screenshot of your stolen wallet. I will help you analyze the possible reasons for the theft.
It doesn’t make much sense for you to contact customer service. Customer service cannot help you retrieve your assets first, and secondly, it is impossible to reduce your losses.
I realize the losses are gone. Tokens for ETH chain and Polygon chain were stored on the wallet (suite) and also appeared on MetaMask. BSC tokens did not appear on the suite. The reason I need to contact Trezor - there are a few remaining tokens they didn’t take (90% gone) as well as several staking platforms that are connected to the Trezor wallet address. The hacker(s) seem to have access only when the Trezor is plugged into the USB on my computer. After a complete Norton scan, I plugged the Trezor back in to see the transactions, and as soon as I plugged in, several of the remaining tokens were being withdrawn as I watched. When I unplugged, the withdrawl stopped. So I am unable to plug my Trezor in to fill out the contact form, and I want to know how I will be able to access staking platforms connected to my hacked wallet address.
I called the administrator for you in another post, and he will see it when he goes online.
You use standard wallets, have you never used hidden wallets?
yes, standard wallet
Is there really a technology that can transfer coins directly without pressing a button on the trezor device?
Has the seedword of your trezor been entered on any device other than the trezor device?
Only on the Trezor, and nothing stored online.
Could you please be more specific about what platform/app have you used ? Apparently if you provide liquidity to some dodgy defi pool, your funds may be at risk.
Otherwise there is no other way how your funds could get transferred out of the address derived from Trezor’s recovery seed without actually confirming this action on the device.
It has to have been a defi pool or staking approval, I don’t think there’s any other way. User error on me, I wasn’t aware that a smart contract risk could bypass the Trezor PIN and physical buttons. Expensive lesson for me. I know nothing is recoverable, but I need some advice on how to move forward with the address. I have tokens that are staked and not touched. But there’s some sort of correlation when I plug in the Trezor and granting access to the hacker. Is it possible to change the seed phrase and PIN for the Trezor? Do I need to find the malicious contract somehow?
There’s almost no way a hacker would need you to keep the Trezor connected.
Either they somehow got to your private keys, in which case they already have them regardless of Trezor being there.
Or you gave permissions to a dodgy smart contract, in which case, again, the permissions are already there and no Trezor interaction is required.
The only sort-of plausible mechanism is the sort of hack that would insert a “click Confirm” signal to the Trezor device. But there is no known way to do that, and no reports besides yours.
So my guess is, there is something else going on with the supposed correlation.
Can you provide more details?
1 Like
Thank you for replying, I appreciate your time. The hack happened overnight, Dec 1 EST. I realized it first thing in the morning and immediately unplugged the Trezor. Not knowing what was happening, I ran a full Norton 360 virus scan, and checked my VPN settings. With Trezor unplugged, I could access MetaMask (address connected to Trezor) and at that point, ETH network and POLYGON/MATIC network assets were gone, but BSC were still there. After running the virus scans (2+ hours) I decided to plug the Trezor back in to see what happened, copy the hacker address, etc. After 3 minutes I saw that BSC assets were being withdrawn. I unplugged the Trezor and 5 out of 15 assets were left, and are still on Metamask. I can’t move them to another wallet because the Trezor would need to be plugged in. I also have several staked coins associated with the hacked address, which I also can’t access without the Trezor plugged in. I’m almost certain it was a malicious smart contract, and the timing would line up with a Hotbit withdrawl on Matic network. That withdrawl took 10 hours and it usually only takes 15 minutes. The only other activity that day for me was staking CPO tokens on Cryptopolis. My private keys are not online or digitally stored anywhere.
So what you are saying is, you can see your Metamask accounts without Trezor plugged in, and the balances are there. And that yesterday, after the overnight thing, you plugged in your Trezor – and without any activity on your part, just having Trezor plugged in, the balances started going down again?
Do I have this right?
Again, it is unlikely that “having Trezor plugged in” would affect matters, but let’s be careful just in case.
Also, it’s unlikely (but I don’t know enough to say it’s impossible) that the same dodgy smart contract could drain your funds across different chains.
This looks more like a private key compromise.
Did you set up Trezor with its own brand new seed, or did you import your pre-existing Metamask seed?
I would like you to look at the various blockchain explorers for your address. Are you using the same address for all of them? Try to correlate times of withdrawals – as reported by the blockchain explorers (https://etherscan.io/, https://polygonscan.com/, https://bscscan.com/), not what Metamask is telling you.
If it seems that the times are what you expect, borrow a friend’s computer on a different network, set up Metamask in a private Chrome window, and connect your Trezor there. Even if we assume the hacker can access your Trezor if you connect it to your Metamask on your PC, it’s next to impossible that they’d immediately gain the same access to a completely different host computer. Then you can use this setup to transfer the funds away from the problematic address.
Afterwards, it would be interesting to know, if you leave a small amount and connect back to your computer, if the funds are also drained afterwards. That’s if you can afford to possibly throw away some money on an experiment, of course.
Once your funds are moved away from the affected address, you can do a factory reset of your Trezor: User manual:Wiping the Trezor device - Trezor Wiki
This way the original seed and PIN is erased and you can set up a new one.
again, let me thank you for your time on this - it is very very appreciated.
Yes, first paragraph is exactly correct. The only activity when replugging in the Trezor after running virus scans was to enter the PIN in order to access Trezor Suite. That is when the BSC withdrawls started.
For Trezor connecting to MetaMask, I used the “connect to hardware wallet” feature on MM to sync Trezor with MetaMask, and the address for all chains is my Trezor ETH address. So yes, all 3 blockchains were using and got hacked from the same address. Do you want me to send you the address on this thread or by some other method? I would very much appreciate your analysis looking up my address on the 3 blockchain explorers.
For connecting Trezor and setting up MM on a different computer, would it be safe to use a private Chrome window on my wife’s computer? I use a VPN, she does not, but it would be the same internet access point.
If you are willing to make the address public, please post it here. Otherwise via PM.
I mean, I personally believe that it would be safe on your own computer 
For your sake, though, I suggest taking extra precautions.
If your wife’s computer never had Metamask or other cryptocurrency-related software before, I would consider it safe to use. Otherwise it might be already compromised in the same way as yours.
I would strongly suggest at least going to another house and connecting to wifi there, or using a public wifi in a restaurant or something like that, just in case your local network is somehow the culprit.
Thanks. My wife’s computer has had zero crypto activity of any kind, I’ll go for that. I don’t have the ability to DM on my user level, so here’s the address: 0xcd9F259b27463E901a720c4baabbd90f7be8c4fE
Well, now I see that the small amount of BNB is now gone from MM, and that’s without the Trezor connected as it must have happened in the last few hours. There are still a few ALT coins on the MM wallet that I guess the hacker wasn’t interested in? So now I need to figure out the best path forward to not lose the remaining BSC ALT coins on MM as well as the 5 staking platforms that are connected to that address (BSC and POLYGON networks). If the hacker sees activity when I unstake, I’m guessing he will be quicker than I will to withdraw the coins to another wallet. Especially since I’ll need to deposit some BNB and MATIC to pay gas fees to unstake and move.