On August 8, 2025, Trezor emailed its customers with a warning. The company said it’s seeing more phishing attacks aimed at people who use its wallets. The note explained what’s going on and gave tips to avoid getting caught.
Here is what they said.
They have seen a sharp rise in phishing scams. Scammers are impersonating:
- Crypto exchanges
- Trezor Wallet support
- Other hardware wallet brands
- Even team members at Trezor
They’ve seen fake emails, scam phone calls, counterfeit devices on retail sites, phishing ads, fake apps and websites, and fake social media profiles.
They stressed one big point: you only enter your recovery seed words on your Trezor device. That happens only when you restore a wallet if your device is lost, damaged, or new. It’s rare.
If anyone asks for your backup via email, phone, app, or website—even if they call it a “recovery key” or “security check”, it’s a scam.
They also warned about other red flags:
- Unsolicited requests for passwords, 2FA codes, or personal info
- Messages that make you feel rushed or panicked—they want you to act fast
- If it makes your stomach drop, just hang up, close the tab, or ignore the message
They reminded users: if your backup is offline and safe, your crypto is safe.
Next, they urged users to verify senders before clicking anything. Official Trezor emails come from noreply@trezor.io, and real domain is @trezor.io. They’ll never ask for your wallet backup.
Finally, they listed steps they’re taking to fight scams:
- Working with Phishfort to remove phishing sites—average takedown is 48.79 hours in the last six months
- Reporting scam domains
- Legal escalations for fake product listings
- Reporting phishing ads
- Updating Trezor Suite and trezor.io with phishing alerts
This message wasn’t Trezor’s first phishing alert. In June 2025, Trezor warned that scammers abused its support contact form to send phishing emails that looked like real support replies.
Attackers sent fake requests using users’ addresses and triggered auto-replies from Trezor. Without breaching its systems, Trezor’s own infrastructure was used to spread phishing attempts. That alert made it clear: There was no email breach, the contact form remains safe, and Trezor will never ask for your wallet backup.
