Key Insights
- Trezor has issued an emergency firmware update after discovering a critical zero-day vulnerability exploited during a breach of its Trezor Suite admin server, enabling remote code execution on affected devices.
- A separate phishing campaign exploited Trezor’s online support system to send fake but legitimate-looking support replies, tricking users into revealing their wallet backups.
PRAGUE, (MarketsXplora) – Trezor, the cryptocurrency hardware wallet maker, has issued an urgent call to action following the discovery of a critical firmware vulnerability, compounded by a recent wave of phishing attacks targeting its users.
In a security notice sent out Friday, June 28, Trezor warned customers of a serious exploit in its hardware wallet firmware that came to light after a breach of an administrative server tied to the Trezor Suite app. According to the company’s security team, attackers leveraged an undisclosed zero-day vulnerability, allowing for remote code execution (RCE) on devices connected to Trezor Suite during the breach window.
The company confirmed that several devices were compromised, potentially exposing sensitive user data. Customers who were active on Trezor Suite during the incident have been directly notified.
“You must assume your device is vulnerable,” the email stated, urging affected users to install an emergency firmware patch without delay. Trezor emphasized that applying the patch is “absolutely crucial” to protect digital assets, assuring users that swift action can neutralize the threat.
The breach has intensified scrutiny over Trezor’s infrastructure, which was already under pressure following a separate phishing campaign earlier in the week.
On Monday, June 23, the company reported that attackers had exploited its online support form to send scam emails disguised as official support responses. The fraudulent messages mimicked legitimate Trezor communications but were designed to trick recipients into revealing their wallet backups — a sensitive recovery phrase that must remain private and offline.
“These scam emails appear legitimate but are a phishing attempt,” Trezor wrote in a post on X (formerly Twitter). “Remember, NEVER share your wallet backup — it must always stay private and offline. Trezor will never ask for your wallet backup.”
The phishing campaign worked by submitting fake support requests using real users’ email addresses. The tactic triggered an automatic reply from Trezor’s system, making the emails appear credible to unsuspecting users. Despite the incident, Trezor said no internal infrastructure or customer data had been compromised.
“Although the attackers were able to manipulate the subject line of the request, they did not gain access to any Trezor systems, internal infrastructure, or user data,” a company spokesperson told MarketsXplora.
Trezor Safe 3 Security Also in Question
The latest incidents come just months after Trezor disclosed a separate vulnerability involving an older model of its hardware wallets. On March 5, the firm acknowledged the flaw, which it described as largely “theoretical” and relevant mainly to devices purchased second-hand. The disclosure followed a tip-off from rival Ledger, which had identified the issue and alerted Trezor.
Days later, on Wednesday, Ledger’s Paris-based security unit Donjon released further technical details, revealing that the 2023 Trezor Safe 3 model remains susceptible to a previously known physical supply chain attack. The researchers demonstrated that existing countermeasures on the Safe 3 could be bypassed, reigniting questions about the robustness of Trezor’s latest wallet generation.
“Ledger Donjon recently evaluated our Trezor Safe Family and successfully reused a previously known attack to demonstrate how some countermeasures against supply chain attacks in Trezor Safe 3 can be bypassed,” Trezor confirmed in a statement.
While Trezor has moved swiftly to address each emerging threat, the confluence of vulnerabilities and phishing attempts has rattled confidence among some users of the popular self-custody brand.
Trezor reiterated that its users’ security remains its highest priority, encouraging all customers to stay alert, verify communications, and apply all available updates promptly.