Hardware crypto wallet manufacturer Trezor issued a public statement on Monday morning to address a security incident involving its customer support contact system. The company confirmed that attackers had managed to exploit its support auto-reply mechanism to send phishing emails posing as communication from its team.

The alert was posted on the company’s official X account, warning users not to share their wallet backup under any circumstances. 

“These scam emails appear legitimate but are a phishing attempt,” Trezor stated. “Remember, NEVER share your wallet backup, it must always stay private and offline. Trezor will never ask for your wallet backup. The issue has been contained. Security is a continuous process. Stay vigilant.”

Phishing emails triggered by contact form exploit

Trezor said the breach did not involve unauthorized access to user data or email systems. Attackers submitted fraudulent queries through Trezor’s public contact form using email addresses of actual users. 

After gaining access to the email contact form, the hackers sent automatic email responses from the company, which appeared as a legitimate support message from the hardware wallet provider.

“There was no email breach,” the company clarified in a follow-up post. “Attackers contacted our support on behalf of affected addresses, triggering an auto-reply as a legitimate Trezor support message.”

Here’s what happened

There was no email breach.

Attackers contacted our support on behalf of affected addresses, triggering an auto-reply as a legitimate Trezor support message.

Our contact form remains safe and secure.

We're actively researching ways to prevent future…

— Trezor (@Trezor) June 23, 2025

Trezor assured users that it is working on safeguards to prevent the misuse of its support system in the future. The incident was reportedly contained..

Trezor cautions users to ‘be vigilant’ against phishing tactics

In response to some users making inquiries about the incident on X, Trezor shared an article covering common tactics scammers use to trick hardware wallet owners. The perpetrators’ tactics often involve impersonating customer support and requesting information like wallet backups, login credentials, or two-factor authentication codes.

“Requests for your wallet backup, passwords, 2FA codes, or any personal information are clear red flags of a scam,” the article read.

The post also mentioned that when users hold their crypto in a hardware wallet like Trezor, they alone possess the keys to access it. Because of this, scammers often go to great lengths to convince users to hand over their recovery seed or wallet backup, information that gives them full control over the wallet’s contents.

“Once attackers have access to a wallet backup, they can transfer all the funds to their accounts, leaving victims with nothing,” Trezor noted.

Users are advised to keep firmware and software up to date, avoid clicking unknown links, and verify the authenticity of all communications. The firm also reiterated that updates to the Trezor Suite and device firmware are only done through the official desktop app.

June sees uptick in cyberwar campaigns and crypto-related hacks

The Trezor incident comes just days after a pro-Israeli hacking group known as Predatory Sparrow claimed responsibility for multiple cyber attacks against Iranian targets.

Among the targets was Bank Sepah, one of Iran’s oldest financial institutions. The cyberattack reportedly halted banking services, causing issues for customers. Predatory Sparrow also drained approximately $90 million from Nobitex, Iran’s largest cryptocurrency exchange. 

On Thursday, Cryptopolitan reported that the group published internal source code files from the exchange on X.

Moreover, footage circulated online showing Iranian television broadcasts being hijacked with anti-regime messages. Late last week, authorities instituted a nationwide internet blackout to “strangle” the flow of anti-government information. As of Sunday, the blackout was still largely in effect. 

According to analysts, the information shutdown was a defensive move to prevent any public mobilization triggered by the leaks and televised intrusions.

Your crypto news deserves attention - KEY Difference Wire puts you on 250+ top sites