Key Takeaways
Following CCN’s coverage of a security breach on Trezor’s official Twitter account, which led to the posting of fraudulent presale token announcements, SatoshiLabs, the company behind Trezor X, issued a detailed explanation of the incident.
The breach was, at the time, suspected to be a SIM swap attack.
The situation began on March 19. On that date, blockchain investigator ZachXBT alerted his 528,000 followers about a possible security breach at Trezor. Not long after, crypto security firm Scam Sniffer also detected and flagged this suspicious activity.
SatoshiLabs reported that they detected unauthorized access to their X account at 11:53 PM on Tuesday, March 19. It said this happened despite its robust security measures, such as strong passwords and two-factor authentication. The breach is believed to be a complex and premeditated phishing attack, which hackers prepared for several weeks.
The company said :
“We want to stress here that the security of all our products remains unaffected. This incident has in no way impacted or compromised the security of Trezor hardware wallets or any of our other products. Your Trezor device and Trezor Suite remain safe to use.”
SatoshiLabs has emphasized that they do not use SMS for two-factor authentication (2FA), opting instead for what they say are more secure authentication methods. Despite these precautions, attackers managed to make a series of unauthorized and misleading posts. These included requests for users to send funds to an unidentified wallet address, alongside harmful links sending users to a bogus token presale.
Once SatoshiLabs’ became aware of the breach, the deceptive posts were promptly identified and removed, limiting potential damage.
SatoshiLabs’ X account breach was traced back to a meticulously planned phishing attack, which took place over several weeks. Investigations reveal that, from February 29, 2024, attackers masqueraded as a reputable entity within the crypto community. They even had a convincing social media presence and took part in seemingly genuine conversations.
Posing as an X account with thousands of followers, the impersonator contacted SatoshiLabs’ PR team, proposing an interview with the CEO. They set up a meeting which, eventually, led to the sharing of a malicious link under the guise of a Calendl y invitation.
Upon clicking the link, a team member was directed to a page asking for X login details. This immediately raised red flags. Although they halted the initial interaction, the meeting was rescheduled. During this rescheduled meeting, the attacker, feigning technical difficulties, convinced the team member to “authorize” a connection for joining the call. This, essentially, linked the attacker’s Calendly app with SatoshiLabs’ X account. The unauthorized connection allowed the attacker to post fraudulent tweets on behalf of SatoshiLabs.
SatoshiLabs’ immediate response to the incident tried to minimize its impact. They quickly removed the offending posts and terminated all active sessions, including those associated with third-party applications, to halt any further unauthorized access. This swift action was critical in controlling the situation and preventing additional damage.
Following these initial steps, SatoshiLabs embarked on a thorough security audit aimed at investigating the breach in its entirety. The audit wants uncover how attackers were able to circumvent SatoshiLabs’ security protocols. The overall goal is to identify the specific methods the hackers used. It also wants to implement measures which could prevent similar incidents in the future.