On April 3, I received an email from Trezor because I have a cold storage wallet that I use to buy crypto. Trezor claimed that the company had experienced a security breach. Trezor asked me to download the latest Trezor Suite. It’s a software package used to manage your crypto assets.

On a careful inspection, two things stood out. First, the sender had a long string 6d63969e.caaaarru4tcaaaaaaaaaaqmfgtcaaycrohuaaaaaaagr2qbisoxa@bnc3.mailjet.com. Second, Trezor was asking to download the latest Trezor Suite package. When I hovered over a download button, I found out that the link address was this http://hg6g.mjt.lu/lnk/CAAAArru4tcAAAAAAAAAAQmFgtcAAYCroHUAAAAAAAgR2QBiSOXarOoHdGKBQWeOXQRzoB5AdgAHrVk/2/pcs7EpqjtL9iQD3zrJkvYg/aHR0cHM6Ly90cmV6b3ItYW16bm1haWxlci5teDIud2FsdGNyb2NrZXIuY29tL2FuYWx5dGljcy9pbmRleC5waHA_aWQ9N0F3ZWNHZnIlMkJDcFF0MnhTN0dicURlRHRvdiUyRkxod1N5UjBRTnFwRUhNR3lMQ2FvSnNQelhnWGVWUWFjbTRLT0RTQWJ6WlElM0QlM0Q. So, it’s undeniable that something fishy is going on. But, of course, the links wouldn’t be so complicated and lengthy if it was a legitimate email.

It left me thinking. Has Trezor been hacked? Was there a breach? Why such cryptic emails? I went to Reddit and Twitter to verify my findings, and many people were receiving the same email, so it was a phishing campaign.

On April 14, I received an email from Trezor itself. The mailing provider for Trezor was Mailchimp. According to the letter, they were compromised between February and April. Classic phishing for privileged access attack happened for multiple employees that are or were working for Mailchimp.

According to Trezor, malicious actors got my email, IP address, and approximate location. They will use this information in the future. So what am I planning to do?

First, I am in control of my email address. I could destroy it and start a new one. Second, I will be more cautious when a new email arrives. Third, I will use a template as I always do to detect a fake email. 

What surprised me in Trezor’s email update was a lack of transparency and cooperation from Mailchimp regarding attacks. They had to be proactive to understand what was happening. Transparency should be an essential value of any company. Unfortunately, Mailchimp being reluctant makes this company less trustworthy in the long run. 

You can read more about the whole email debacle here. 

How To Spot Phishing Emails?

I use a few rules to narrow it down quickly. First, I always check the email header. Long email addresses, weird domain names, or endings give me a first warning sign. And be careful with email names as well. One letter makes a difference. Typosquatting is a real thing.

Second, the text itself reveals some clues. If it’s poorly written or has a lot of weird symbols, I know that something fishy is going on.

Third, if they ask you to download a file or a suspicious attachment, that’s final proof that the sender is a malicious actor.

However, this is an elementary template for detecting phishing emails. People that work in this scam are creative and can find new ways of fooling people. Always be on guard.