Attackers are using the public disclosure of the vulnerability in the TROPIC01 chip of the Trezor Safe 7 hardware wallet to distribute false messages instructing users to update their device’s firmware, bitcoin developer Jameson Lopp warned on June 4 via X.
The link included in those messages directs to a fake web application that It pretends to be Trezor Suite with the aim of stealing user funds. Lopp shared Also the image of the message that the hackers send:
Trezor Suite is the official application of the Trezor wallet to manage funds and configure the device from a computer. The fraudulent version imitates its appearance to induce the user to enter sensitive information. This type of attack is called phishing: A technique in which attackers impersonate a legitimate entity to trick the user into gaining access to their funds or personal data.
In this case, although it is not known how the attackers obtained the contact information of the recipients of the fraudulent messages, they could have accessed them after the leak that occurred in Trezor in 2021. On that occasion, data of more than 66 thousand users were exposed.
The campaign exploits the context generated by the June 3 announcement, in which, as reported by CriptoNoticias, Trezor recognized a weakness in the TROPIC01 chip of its Safe 7 model. The company clarified that funds and private keys remain protected and users do not need to take any action. Trezor did not request any firmware update in response to that vulnerability.
Matías Mathey, Bitcoin self-custody expert and bitcoiner educator, pointed out that the real vector of the attack is not technical but social engineering: a modality in which cybercriminals do not need to violate the user’s hardware but rather manipulate their behavior. «They don’t need to hack your hardware wallet. They just need a click where you shouldn’t”wrote.
How not to fall into the trap?
Mathey listed two recommendations to avoid these types of scams. First of all, never update the firmware (the base software that controls the internal workings of the device) from links received by email, Telegram, WhatsApp or social networks. Legitimate updates are carried out exclusively from the manufacturer’s official application.
And secondly, the seeds (or seed phrase, the sequence of words that allows you to regain access to a wallet and with which the owner controls the funds) should never be written on a computer connected to the internet.
The episode exposes a pattern in which high-profile vulnerability disclosures are systematically exploited to launch social engineering campaigns targeting users who have not yet processed the actual content of the original announcement. The fear of losing funds precedes reading, and that window is what attackers exploit.