Trezor - Fake e-mail analysis

Posted on | 496 words | ~3mins

For those who don’t know, I invest in some criptocurrencies, and I decided to buy a hard wallet from Trezor. Today, I woke up with an unexpected e-mail which apparently was sent by them:

E-mail falso

I usually tend to always delete “alarming” e-mail messages, but some flags led be to believe on it when I read the message.

I have a habit to create accounts using e-mail aliases. An e-mail alias is nothing more than a keyword we can use on e-mail addresses. Instead of using [email protected] in every site, I use [email protected], for example. That is very useful for security, but I’ll get into why in a different article.

However, what led me to believe this e-mail was the fact I received it with the alias, and in this case, a specific alias I only use in that service.

When I opened the URL, I got redirected to the following page:

Fake Trezor website

When I decided to open the main page,, I noticed something was wrong. I ended up in a Russian store that sells beautiful and robust lockers:

Russian store selling beautiful lockers

Did you notice something odd in the URL? The page I ended up on was suite.trẹ, with , not e. The domain is a bit different in this case:

Converted domain

This scam is known as IDN homograph attack. These domains are very identical to the original one, but using non-latin characters, such as cyrillic or with accents, like ã or ẹ, in this case.

Looking at the page, I decided to click on Trezor suite for web to see where I would lend. The link points to, which is different than the official URL, https://suite.

With these suspitions in mind, I decided to check the registration date of these domains, which is also a bit odd:

Domain Creation date
xn– (trẹ - Main page 27.03.2022 - 11:09:17 (UTC) - Webclient 27.03.2022 - 07:03:32 (UTC) - Domain from the scam e-mail 09.07.2021 - 00:01:19 (UTC)

Trezor is an existing company since 2013. Having such brand-new domains is also a scam indication.

Another thing to keep in mind is the fact that most Trezor built apps are open-source, including Trezor Suite, the landing page and their own website. Anyone is able to download the source-code, edit the clients and create scam apps or pixel perfect pages due to that.

After analyzing all these factors, even though the e-mail convinced me at the beginning due to the alias, everything suggests that their e-mail list got leaked somehow and these e-mails are an attempt of scam.

Trezor also announced on their Reddit about the pottential data leak from MailChimp.

I reported the incident to all companies involved on the domain registration by checking their WHOIS, to the Internet Crime Complaint Center and to the Internet Beschwerdestelle.


  • Trezor has confirmed on Twitter the data leak on MailChimp’s side.
  • The domains e xn– (trẹ were taken down (source).
  • After getting feedback, some paragraphs were rewritten to improve reading experience.