A new class-action lawsuit alleges Intuit “intentionally, willfully, recklessly, or negligently” failed to protect Mailchimp data, leading to the theft of cryptocurrency from Trezor wallet users.
The lawsuit, filed in California on Friday, claims the financial software firm and its subsidiary Rocket Science Group, which operates Mailchimp, are responsible for “millions of dollars of losses.”
That includes $82,000 stolen from plaintiff Alan Levinson’s own Trezor wallet.
On behalf of other Trezor wallet users, Levinson is seeking actual and punitive damages from Intuit, as well as three years of credit monitoring.
He alleges that an employee of Rocket Science Group “fell victim to one of the oldest cybertricks in the book” by clicking on a malicious link that granted attackers access to personal information, including email addresses, of more than 100 users who were subscribed to a Trezor newsletter.
The emails were then used to lure users to a fake Trezor website, where they were directed to download a new version of the company’s Trezor Suite desktop app to protect themselves from a data breach.
In doing so, users unknowingly gave cyber criminals access to the recovery phrase used to access their crypto wallets.
Trezor reacts to phishing scam
Trezor, which is based in the Czech Republic, began warning users about the phishing email in April.
“A scam email warning of a data breach is circulating,” the company said on Twitter. “Do not open any email originating from email@example.com, it is a phishing domain.”
Its website still features a banner warning users not to enter their recovery seed anywhere.
Without mentioning Trezor directly, Mailchimp acknowledged the security breach in a post on April 4.
“Based on our investigation to date, we found that 319 Mailchimp accounts were viewed and audience data was exported from 102 of those accounts,” the company wrote on its blog. “Our findings show that this was a targeted incident focused on users in industries related to cryptocurrency and finance.”
Phishing attacks, widely believed to have originated in the 90s when a group of hackers impersonated AOL employees, have plagued Web3 companies.
In the past two months, some of the largest projects—MetaMask, Bored Ape Club, and Circle—have had to warn users about phishing attacks.
Scammers have even impersonated aid organizations, hoping to use Russia’s Ukraine invasion to steal donations made using cryptocurrencies.