Why did I receive a Trezor phishing email from Substack?
Last night I was unfortunate enough to join the long list of individuals who have been targeted by crude phishing attempts claiming to be from hardware wallet maker Trezor.
This email, which had the subject line “Quantum Vulnerability Disclosure,” claimed that it was notifying me of a new firmware for my wallet that would help protect it against a fictitious exploit rooted in “recent breakthroughs in quantum technology” that “have revealed vulnerabilities in existing encryption.”
The email encouraged me to “take immediate action to protect [my] information” by making sure to upgrade my device’s firmware.
Read more: Crypto phishing blitz hits CoinMarketCap, Cointelegraph, and Trezor
It falsely claimed that the upgrade was “necessary to safeguard your assets and prevent exposure to these evolving threats.”
The most interesting thing about the email, however, was that it wasn’t from Trezor but rather [email protected].
How it works
Greg Lockard runs the Greg Expectations newsletter in which he provides “updates about the comic books and graphic novels I am working on as both a writer and an editor.”
According to a follow-up email that was sent from his Substack after the apparent compromise, he encouraged his subscribers to ignore the phishing email, noting that his Substack was hacked and claiming he was working with Substack to rectify the problem.
Once Lockard’s Substack was hacked, it appears it was possible for the hacker to add emails to its list, a feature intended to make it easier for creators to import their email lists from other platforms.
This meant that even though I wasn’t previously a subscriber, they were able to add me as one without confirmation.
The hacker was aided in their quest to target crypto users by Trezor’s security failures, with a third-party support portal it used being compromised in 2024.
Users who received this email and then clicked the “Upgrade Firmware” button in the newsletter were directed to quantumshield-trezor[dot]io, which is currently unavailable.
This domain would presumably host the website that would encourage users to either install malware or attempt to trick them into revealing their seed phrase.
Protos reached out to Substack to determine what steps they take to prevent this type of attack and how this one specifically managed to avoid it, but it did not immediately respond.
Do we need to be worried about quantum vulnerability?
While quantum computers are still progressing and may eventually pose a threat to a variety of encryption types currently in use, as it stands, the systems are expensive and lack the capacity to break most encryption.
Once quantum computers are deployed, they’ll be controlled by a small number of actors and will likely initially focus on a small number of targets.
Read more: The internet is laughing at El Salvador’s ‘quantum-safe’ bitcoin | Protos
There is also active and substantial development work underway on various chains in an effort to come up with mitigation strategies to reduce the likelihood of these attacks being successful.
In general, be extraordinarily cautious whenever any email or website suggests that you need to give it access to your wallets. Phishing is a much larger risk than quantum computing at this time and for the near future.
Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.