This email flashing across the world. Phishing or real? I did not click on the link in the email, because we should NEVER EVER do that. I logged into Trezor Suite from my laptop and there is no firmware update. This email has all the red flags of a scam: URGENT! CLICK HERE! NORTH KOREA!" And check out the email domain - epelectric email address - huh? The website for El Paso Electric!

---------- Forwarded message ---------
From: Trezor <noreply @ myaccount.epelectric . com>
Date: Sat, Jul 19, 2025 at 3:32 AM
Subject: Protect Your Assets From State-Sponsored Threat Actors
To:

Logo
Official Security Incident Report
Dear Trezor User,

This communication is to inform you of a significant security incident. Trezor has confirmed a coordinated social engineering attack resulting in unauthorized access to our internal server infrastructure. The investigation has determined that threat actors, with characteristics consistent with the North Korean state-sponsored group Lazarus, gained access after successfully placing personnel within a third-party contractor using falsified credentials.

These individuals deployed malware that compromised specific communication endpoints, leading to the exposure of user data. We have verified that this vector has been used to execute unauthorized transactions totaling approximately $70 million in BTC and ETH. Our team is working with blockchain analysis firms to trace the stolen assets. This attack vector aligns with intelligence on sophisticated campaigns previously analyzed by our team (for more context, see published analysis).

We are requiring users to take mandatory mitigation steps.

Mandatory Mitigation Steps
To contain this threat and protect your assets from further exposure, we have issued a mandatory firmware update. This update serves as a containment and neutralization protocol, which will re-establish a secure communication channel between your device and the Trezor network.

We have the utmost confidence in our remediation plan, but its success depends on your prompt cooperation. We take this matter with the greatest seriousness and regret any concern this may cause.

Proceed to Dashboard
Sincerely,
The Trezor Security & Compliance Office

SatoshiLabs s.r.o., Kundratka 2359/17a, 180 00 Prague 8, Czech Republic

This is a mandatory security notification regarding your Trezor account.

I got this same email also. It’s a scam email It was sent using sendgrid service, which is legitimate emailing service. The sender for me seems to be noreply @ myaccount . epelectric . com (spaces included due to forum restrictions) which can be spoofed also (didn’t check the email headers). Safely checked the link and it goes eventually to t . rezor-firmware . io (spaces included due to forum restrictions) and that is an obvious phising address.

I haven’t trusted any emails that is send in name of Trezor after they lost a lot of customer emails in a breach to their account in Mailchimp few years ago.

I have received the below email - is this a scam?

Official Security Incident Report

Dear Trezor User,

This communication is to inform you of a significant security incident. Trezor has confirmed a coordinated social engineering attack resulting in unauthorized access to our internal server infrastructure. The investigation has determined that threat actors, with characteristics consistent with the North Korean state-sponsored group Lazarus, gained access after successfully placing personnel within a third-party contractor using falsified credentials.

These individuals deployed malware that compromised specific communication endpoints, leading to the exposure of user data. We have verified that this vector has been used to execute unauthorized transactions totaling approximately $70 million in BTC and ETH. Our team is working with blockchain analysis firms to trace the stolen assets. This attack vector aligns with intelligence on sophisticated campaigns previously analyzed by our team (for more context, see [published analysis]
Link removed…

We are requiring users to take mandatory mitigation steps.

Mandatory Mitigation Steps

To contain this threat and protect your assets from further exposure, we have issued a mandatory firmware update. This update serves as a containment and neutralization protocol, which will re-establish a secure communication channel between your device and the Trezor network.

We have the utmost confidence in our remediation plan, but its success depends on your prompt cooperation. We take this matter with the greatest seriousness and regret any concern this may cause.

Link removed…

100% scam. I can’t post the email address here but note the scammy, non-Trezor email address in the original email.

Silly me, I clicked on the link, in the “Official Security Incident Report” and was re-directed to a “Trezor” page, purporting to determine if I was human. I didn’t click there, rather, came here for support. Was that only the first step on a social engeneering scam, or, did they already instaled something on my machine? In simple terms, how bad was that click?

I’m not an expert in these matters, but the website code I checked briefly didn’t seem to contain any malicious things it self.

My guess is that it was just a second step in phishing scheme to get you to install malicious firmware to your Trezor device, which then could be used to steal your funds.

there’s no such thing as malicious firmware

the way these things usually go, you click through, it says “connect your Trezor”, then nothing happens for a while, then some sort of “CRITICAL ERROR DATA LOSS IMMINENT” and then they ask you to enter the seed into the website

Crit󠄈ical Vulner󠄈ability No󠄈tice

󠄈
Dear Customer,

We are writing to inform you of a criti󠄉cal secu󠄉rity vulner󠄉ability that requires your imm󠄉ediate action. This notice concerns the firmware on your Tr󠄉ezor hard󠄉ware wal󠄉let and its interaction with Trez󠄉or Suite.

Our sec󠄉urity team recently discovered that threat actors bre󠄉ached a Trezor Suite administrative server. During the bre󠄉ach, they exploited a previously unknown zero-day vulner󠄉ability in the Tre󠄉zor firm󠄉ware. The attack was targ󠄉eted at users who had an active connection from their device to Trez󠄉or Suite during the inc󠄉ident window.

This expl󠄉oit allowed for Rem󠄉ote Code Exe󠄉cution (RCE) on the affec󠄉ted devices. We have confirmed cases where users’ devices were compr󠄉omised, potentially allowing attac󠄉kers to extract sensi󠄉tive inform󠄉ation. You are recei󠄉ving this email because your account was active during the at-ri󠄉sk period. Therefore, you must assume your device is vuln󠄉erable.

To protect your assets, it is absol󠄉utely cru󠄉cial to act now. We have released an emer󠄉gency firm󠄉ware patch that closes this vulnera󠄉bility. You must connect your device and follow the guided update process imme󠄉diately.

Hello,

It’s July 20, 2025, 10:30 PM / Canada / Quebec, and I just received it too.
I had the same reaction, I deleted it, and I went to check Trezor Suite.
And there was no update.
Be careful.

Take care.

I got the same email today . It is obviously scam !!

I just received the same email notice on my iPad. I went to my computer and opened Trezor Suite. Didn’t see anything pertaining to this email. Looks very official and scary but I’m sure its a scam.

Yeah, got it too.

Still it’s a good idea to make sure your laptop, trezor, and suite app are updated to the latest versions.
Fore better night sleep

If it can help Trezor, I’ll send you a copy of the email I received. Thanks for everything.