TL;DR
- Trezor detected phishing attempts through its support form, where attackers used leaked emails to trigger automatic replies.
- The company confirmed there was no internal breach and that its contact form remains secure, although it’s working on new measures to prevent abuse.
- The case highlights a common tactic: using leaked databases to send fake emails that imitate official communications.
Trezor issued a security alert after detecting phishing attempts that exploited its online contact form.
The company explained that a group of attackers used email addresses exposed in previous data breaches to submit fake requests to its support team. This triggered legitimate automated replies from Trezor’s system, which the scammers then used to impersonate official communications and deceive users.
Important Update
We have identified a security issue where attackers abused our contact form to send scam emails appearing as legitimate Trezor support replies.
These scam emails appear legitimate but are a phishing attempt.
Remember, NEVER share your wallet backup — it must…
— Trezor (@Trezor) June 23, 2025
Trezor clarified that the incident did not compromise its database or result in any email leak from its servers. According to the company, the contact form remains operational and secure, although it acknowledged it is actively working on new ways to prevent this type of abuse in the future. It also reminded customers never to share their wallet recovery phrases and emphasized that no official communication will ever request that information.
Trezor Had Already Faced a Similar Incident
In 2022, Trezor dealt with a similar situation when an exploit targeting its newsletter provider allowed attackers to send fraudulent emails containing links to malicious software disguised as a wallet update. Ledger, one of its main competitors, suffered a massive data breach in 2020 that exposed customer email addresses and triggered an ongoing wave of phishing campaigns.
Hardware wallets and self-custody applications have been dealing with similar scams for years. Platforms like MetaMask and Trust Wallet have also been frequent targets of impersonation schemes through emails, fake social media accounts, and fraudulent support channels. In most cases, attackers reuse data obtained from earlier leaks to contact users with messages that appear to come from legitimate sources.
Trezor emphasized that security is a continuous process and urged users to distrust any message requesting sensitive information, even if it seems to come from an official channel. Although this attack didn’t compromise its systems, it underscored that phishing schemes remain active and that attackers continue to find new ways to reach potential victims.
