Fake Trezor Support Social Engineering — $282M Heist
Summary
On January 10, 2026, an unidentified victim lost approximately $282 million in Bitcoin and Litecoin after an attacker impersonating Trezor 'Value Wallet' customer support convinced the victim to disclose their 24-word seed phrase, granting the attacker complete wallet access. This is the largest individual social engineering crypto theft ever recorded, surpassing the previous record of $243 million set in August 2024. Stolen funds were laundered through ThorChain, multiple instant exchanges, and converted predominantly into Monero, causing XMR to surge up to 80% in the days following the incident; no suspect has been publicly identified and full recovery is considered extremely unlikely.
Connected Entities
1 entities · 10 linked investigationsTimeline(7 events)
2024-08-19
Previous record set: a Genesis creditor loses $243 million in Bitcoin (4,064 BTC) via social engineering, with attackers impersonating Google and Gemini support. This case results in two DOJ indictments in September 2024.
CoinDesk2026-01-10
At approximately 23:00 UTC, an unknown victim loses approximately 1,459 BTC (~$139M) and 2.05 million LTC (~$153M) after disclosing their 24-word seed phrase to an attacker impersonating Trezor 'Value Wallet' customer support. Total loss: ~$282 million.
CoinDesk / ZachXBT / ZeroShadow2026-01-10
Within approximately 20 minutes of the theft, ZeroShadow identifies the attack in real time and freezes approximately $700,000 worth of assets before they can be converted to Monero.
FinanceFeeds / Bitcoinist2026-01-10
The attacker begins laundering stolen BTC through ThorChain, bridging to Ethereum, XRP, and Litecoin, while converting the bulk of stolen funds to Monero (XMR) through multiple instant exchanges.
CoinDesk / FinanceFeeds2026-01-14
Monero (XMR) reaches an all-time high of approximately $797–$800, a surge of approximately 70–80% from pre-theft price levels, as market liquidity absorbs the large-scale conversion of stolen assets.
Bitcoin.com News / Ainvest2026-01-16
CoinDesk and other major outlets publish detailed reporting on the theft, citing ZachXBT's analysis and ZeroShadow's findings. ZachXBT publicly excludes North Korean state-sponsored actors as suspects.
CoinDesk2026-02-16
A separate but related hardware wallet impersonation campaign surfaces: physical letters sent via postal mail to Trezor and Ledger customers, impersonating official company communications and directing recipients to scan QR codes leading to seed-phrase phishing sites.
BleepingComputerDecision Log
- hash: Br6aQYVjxbUCEs3LgeixpwxAaaasMATmXHCdB6KCYtTM
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 7/1/2026, 11:09:45 PM
last updated: 7/1/2026, 11:09:54 PM
avoid.net — verified advice for a post-truth world