Yeah, vendor direct period. I'm waiting on the urinal scanners looking for open bluetooth. 😂

Sheesh! Scammers be scamming.

"A popular classifieds website" sounds like eBay. Definitely a shady place to buy a hardware wallet.

With the Trezor tho they don't come with a firmware, they come blank and you gotta flash the firmware yourself. At least that was the case when I got mine recently.

No detail about if the modified hardware had a hacked bootloader able to steal keys from the official firmware - but it sounds like fake firmware was preinstalled since the version number didn't exist, so that should set off alarm bells right there for anyone who knows how Trezor setup works.

Not sure if Trezor started shipping without firmware after these fakes started circulating, but that precaution is there now and would alert you to a fake device instantly.

And yeah don't buy one from anywhere but the official shop of the manufacturer. And definitely not eBay.

“Second, at the initialization stage or when resetting the wallet, the randomly generated seed phrase was replaced with one of 20 pre-generated seed phrases saved in the hacked firmware. The owner would begin using it instead of a new and unique one.”

Supplying your own entropy and verification of the generated address would have detected this.

But man, seeing this for real is wild.

Lesson of the day: never introduce counterparty risk when it can be avoided!

tf

tf

This is where multisig wallets are great. Even if a hacker can get the key on your hardware (like this example) they won’t be able to move funds and would need to figure out a way to get access to another of your keys to do so.

Seedsigner is affordable and no single manufacturer has a likely attack vector.