Crypto wallets targeted by phishing scam via Mailchimp

It has been revealed that hackers breached the email marketing platform Mailchimp in order to target cryptocurrency service users. Cryptocurrency hardware wallet company Trezor announced the breach on Twitter on April 3, 2022, stating that Mailchimp had confirmed a breach targeting cryptocurrency companies. 

So how did the breach happen, and how much were users impacted? Read on to find out.

What happened?

On April 4, Trezor published a blog post outlining what the breach and phishing scam involved. Mailchimp’s security team told Trezor that a hacker successfully performed a social engineering attack on Mailchimp employees to access a specific Mailchimp tool. Customer-facing teams tend to use this tool for account administration and customer support. The malicious actors used the data gleaned from this tool, which included access to newsletter databases, to launch a sophisticated phishing scam on Trezor’s customers.

Mailchimp CISO Siobhan Smyth told TechCrunch that the data breach was first discovered on their end on March 26, explaining “We acted swiftly to address the situation by terminating access for the compromised employee accounts and took steps to prevent additional employees from being affected.” However, not swift enough to prevent damage from being done. By then, the hackers had viewed over 300 Mailchimp accounts, gleaning audience data from 102 of them.

How the phishing scam worked

The most insidious aspect of the attack (apart from the cryptocurrency stolen from customers) is that the phishing email appeared to be a very convincing announcement of a security breach. It told users that they had been affected by the violation, and to protect their assets, they would need to “download the latest version of Trezor”, enter their seed information, and set up a new PIN for their wallet. 

Of course, once the user did this, their assets were the opposite of protected — their funds were immediately transferred to the attacker’s wallet.

The well-written and convincing email led users to a cloned version of Trezor Suite and a web version of the app, both of which had a high level of functionality and attention to detail. If you weren’t paying too much attention, you’d be forgiven for not noticing anything was amiss. However, Trezor mentions in its blog post that its app is digitally signed by SatoshiLabs, and that the malicious app should have triggered a warning from a user’s OS that it had come from an unknown source. This is always something to be mindful of when downloading applications. 

If you were targeted in this scam, head to the Trezor blog to find out what you should do next. 

The takeaway

This troubling turn of events reveals the need for better education on social engineering and how it can play out. That employees for a very widely used online platform were duped is a testament to the fact that these tricks can fool anyone. To learn more about social engineering, check out our blog post on social engineering and how to protect yourself.

Share on Twitter, Facebook, Google+