Unauthorized CoinJoin Transactions

I logged in to my Trezor wallet for the first time in a month only to find that a series of CoinJoin transactions cleared me out of everything late at night a month ago.

I have had a Trezor Model T for about two years. It came factory sealed straight from the company. I always avoid showing my recovery seed so much as in front of my computer screen much less give it away online or in person. Never a problem until June 2023.

That month I discovered that I still had BTC in my Coinbase wallet so I wanted to transfer that over to my Model T. Right now the only thing that I find suspicious is that I went to the Microsoft Store to download “Trezor Suite: Device Manager.” There it asked for a 24 word recovery seed. Confused, I entered my Model T’s 12 word recovery seed a couple of times to no success. After looking into it I downloaded Trezor Suite from here and I was able to log in. I successfully transferred and consolidated and did not log in until today.

11 CoinJoin transactions were made the night that I made those aforementioned transactions. I have never used CoinJoin and up to that point I saw no reason to transfer anything out of my Trezor wallet. My only suspicion right now is that Trezor Suite: Device Manager app. I checked the Microsoft Store and now I cannot find it there.

Does anyone else have a similar experience?

The Trezor device will protect your seed from malware even if your PC is compromised. But it cannot protect you from giving out the seed willingly.

That is why it is extremely important never to enter your seed into any digital device whatsoever, apart from the Trezor itself. You protected your seed from “giving it out online”, but failed to consider that a malicious app on your PC could also steal it.

Unfortunately, even official operating system stores carry a lot of fake or malicious apps. In case of Microsoft store, my suspicion is it’s mostly fake or malicious apps. We try hard to catch and report the fakes that we find, but it is like fighting the rising tide: for every one reported, twenty new ones pop up.

I am sorry for the loss of your funds. Unfortunately, there is nothing that can be done at this point.