According to a recent post published on r/Bitcoin, Reddit user u/OkLet5529 has had all his cryptocurrency holdings stolen from his Trezor wallet after falling for a phishing scam.
The victim claims that the FBI is already investigating the case, urging the community "to band together" and hunt down the bad actors.
A million-dollar loot
After contacting blockchain sleuth Chainalysis, it turned out that a fake Trezor website was the culprit.
The pop-up window that required entering the wallet’s seed was a major red flag, but the OP was unfortunate enough to follow the instructions.
It is important to remember not to enter the 24-word seed under any circumstances (unless you are asked to do so by the physical device), as recommended by the Trezor team:
You should only trust the device display and what is written on it. For other sources of information, always maintain a healthy amount of skepticism.
The fraudsters behind the attack were able to collect more than $1 mln worth of Bitcoin (BTC), Ethereum (ETH) and Litecoin (LTC).
Phishing attacks are carried out by creating a website that masquerades as the legitimate one by completely copying its design. One such Trezor clone, with an invalid SSL certificate, was spotted back in 2018.
The Ledger incident
While the owners of hardware wallets are susceptible to phishing, they are still safe if they take minimal security precautions—which many users evidently ignore.
Last week, however, U.Today reported a strange incident that involved a crypto trader losing his ERC-20 tokens from a Ledger wallet stored in his safe. While not offering a comprehensive follow-up to the story, the owner did apologize to the French wallet manufacturer, which means that he was in the wrong:
I want to take a moment to apologize to the Ledger team. @LedgerSupport was very swift & helpful, despite my attitude. I let my emotions get the best of me, reacting w/o thinking.
Ledger also routinely warns its users about fake Chrome extensions whose only purpose is to steal their seed.