Staking Liquidation Alert scam, but how?

I’ve just received (obvious) scam email about forced staking ending
“Liquidation Alert: Make sure to liquidate before disbanding time.”

More than falling for the scam, the problem is how did the scammers get my email address ?
I have only been (test) staking for past 2 weeks.

Since only trezor should have (this particular) email address connected to staking, there are only a couple of possible scenarios:

  • trezor has been hacked in the last 2 weeks ? (or the hack is ongoing)
  • trezor is selling the info ? (or the bad actor at the company)
  • trezor is sharing the info with everstake and they were hacked/selling the data ?

Anyone has any thoughts about this ?

3 Likes

Hello, I have received a similar message.

After thinking about it some more - could all be just random coincidence - scammers sending the email to address associated to trezor site breach from before (ex. a data breach that occurred on January 17 due to unauthorized access to their third-party support ticketing portal), this time the “theme” of the game is staking. ¯_(ツ)_/¯

I have received the same email 5 times in the past 24 hours. I could tell it was a scam by the poor grammar and punctuation - and sketchy return email address.

What I find strange is that I had just ordered a new Trezor device (from the official Trezor website) almost a week ago. Haven’t even received it yet. So I too thought maybe Trezor’s email list was hacked or shared. Hopefully, like you said, the timing is a coincidence, but I’m still wary.

Here is what I received:

From: Trezor Earn (noreply at everbridge dot net)

We’ve got some unfortunate but rewarding information:

You’ve been gaining in our staking programs directly through what you held in your device, sadly with upcoming regulatory, We can no longer offer these services, We ask that you make the journey to complete removaI of any staked designations you may have.

The amount you have been gaining at is important enough to guide you un-stake

[Liquidate Staked Positions] [[ URL REMOVED]]

Need Help?

  • If you have previously used the Suite, You may have to re-link .

  • Linked Safe can be found under “Other”

  • MM linked users are guided to use their physical to prevent problems.

We’re sorry to inform you of this unfortunate series of events.

Kundratka 2359/17a, 18000, Prague 8

1 Like

well, i am also wondering if there is a connection here: i had not used my wallet for a long time before and now a few days ago i updated the desktop app and firmware and now received this obvious scam email to the address that should only be known to satoshi labs

1 Like

Well, what I find strange is the fact that I hadn’t used my Trezor for a long time before, but a few days ago I updated the app and the firmware. As far as I have researched, the email hack at Trezor happened in January but it was only after I performed these updates that I received the scam email.

Is it possible that a trigger was triggered by these software/firmware updates after which the scam email was sent?

Can it be ruled out that the execution of the update or possibly the updated software/firmware itself was hacked?

Addon: Is it possible that recovery seed content can be leaked when running the check backup procedure?

Thank you for warning the community about this scam email. We have reported it to Google and posted about it on our X/Twitter account. You can read more about how to recognize phishing attempts in our post here: x.com.

1 Like

there is not

a lot of other people also received the scam now, most of them didn’t just happen to do an update at roughly the same time.

no

yes, that can be ruled out

that’s not possible, same as it is not possible at any other time when a scam campaign is not running.

the only way your funds are at risk is if you follow the link from the scam e-mail and act on any instructions that you find

2 Likes

thanks for explanation :+1:

btw, as being a developer myself :nerd_face: (though not experienced in typescript) i was curious to look in source code (downloaded from your github) what happens in detail in the desktop app (on linux) when dry-running the seed-recovery check as this appears to be the only situation when device communicates with app on the content of the seed. hmm, but the source code contains quite a lot of files / folders, any hint at which modules to look at?