Kaspersky uncovers fake Trezor wallets that jeopardize crypto assets

Lab investigators found that the private key was already known to the hackers before the victim had even purchased the machine.

Kaspersky Labs, a Russia-based multinational cybersecurity and anti-virus firm, said in a report published this month that it discovered a fake Trezor Model T with a custom firmware which hackers had installed to extract Bitcoins. 

The device was purchased by a crypto trader through a popular Russian marketplace website. On a close examination, it turned to be a clone of the Trezor hardware wallet, designed to pilfer cryptocurrency holdings.

The victim complained that his funds had been stolen after using the device. This happened because the hackers had known the private key before the machine was sold or copied it as soon as it was generated.

The fake cryptowallet would operate as normal, but the attackers had full control over it from the very beginning, Kaspersky specified.

Thanks to the deactivated flash-memory read-out protection, which the attackers decided not to turn on after the new microcontroller was soldered in, the lab easily extracted the wallet firmware and, by reconstructing its code, discovered that the attackers indeed knew the private key in advance.

“The original bootloader and wallet firmware received only three modifications:

First, the bootloader-checks for protection mechanisms and digital signatures were removed, thus getting rid of the “red screen” problem during the firmware originality check at startup.

Second, at the initialization stage or when resetting the wallet, the randomly generated seed phrase was replaced with one of 20 pre-generated seed phrases saved in the hacked firmware. The owner would begin using it instead of a new and unique one.

Third, if the user chose to set an additional master-seed protection password, only its first symbol (a…z, A…Z, 0…9 or ! for any special character) was used, which, together with the no-password option, gave just 64 possible combinations. Thus, to crack a given fake wallet, only 64*20=1280 variants were to be considered,” the Kaspersky report says.

More to read:
Anonymous hacker exposes almost 1,000 crypto wallets linked to Russian security services

According to the transaction history, the hackers were in no hurry, waiting a whole month after the wallet was credited for the first time before they grabbed the money. The owner had no protection whatsoever: the game was lost from the very moment the money first arrived in the Trojan wallet.

The device’s packaging was meticulously sealed and utilized Trezor’s tamper-resistant holographic labels typically affixed to their products. At a first glance, the wallet appeared to be exactly the same as a genuine one, and showed no signs of tampering. Upon unpacking, distinct traces of soldering were evident, alongside the presence of an entirely different microcontroller.

Kaspersky also revealed that the fraudulent hardware wallet executed unauthorized transactions without even being connected to a computer.

Trezor responded to the report with an explanation on its blog that “As described in the article, it seems highly probable it’s the case from May 2022, when several fake devices from an unauthorized Russian reseller surfaced. We promptly alerted our customers via blog. Since then, no such incidents have been reported to us.”

The manufacturer recommended users to purchase original devices from its Trezor Shop and other authorized vendors.