Fake CAPTCHA on Trezor-Branded Sites Leading to Seed-Phrase Theft
Phishing sites mimicking Trezor's wallet-restoration interface embed fake CAPTCHA challenges that, once 'completed,' either request the seed phrase directly as the 'verification step' or deliver malware that scans the device for cryptocurrency-related files.
Part of: Fake CAPTCHA Malware Scams
Last reviewed: 8 June 2026
Trezor users are typically security-conscious — that awareness is part of why they chose a hardware wallet in the first place. To overcome this heightened scepticism, attackers deploying fake CAPTCHA pages against Trezor users invest in highly convincing presentations: pages that accurately replicate the Trezor Suite interface, correct Trezor branding, and a multi-step flow that gradually normalises each request.
The CAPTCHA is used as a social-engineering device: it lends the page an air of legitimate security infrastructure. After the user completes what appears to be a standard reCAPTCHA or Cloudflare Turnstile challenge, the next screen presents the 'wallet restoration verification' — which asks for the seed phrase. Because the CAPTCHA has already been 'passed,' the victim may feel the site has already verified something, reducing their guard against the next step.
Some variants use the CAPTCHA to deliver clipboard-injection malware instead of requesting the seed phrase directly, installing a keylogger or file scanner that targets any text file where the user may have stored seed words.
How this scam works on the Trezor brand
Real Trezor Suite never uses third-party CAPTCHA widgets as part of its interface. Trezor Suite is a downloadable desktop application or an optional web app at suite.trezor.io — neither uses CAPTCHAs for access or seed-phrase entry. The seed phrase is entered exclusively on the physical Trezor device's own screen.
The attack chain typically begins with a phishing email or search-engine ad for 'Trezor wallet recovery.' The landing page presents a Trezor logo and a CAPTCHA challenge. Completing the CAPTCHA transitions to a 'wallet restoration' form requesting seed words, or triggers a clipboard injection that instructs the user to paste a 'verification code' into their terminal — actually malware.
Victims who proceed to enter their seed words on the website hand the complete wallet master key to the attacker, who can then import it on any compatible wallet and transfer all funds.
Common red flags
- A Trezor-branded website includes a CAPTCHA before allowing access to a wallet-restoration form
- After completing the CAPTCHA, the site asks you to enter your 12- or 24-word recovery phrase
- The URL is not suite.trezor.io or trezor.io
- The site arrived via a search ad, email link, or social-media post rather than your own bookmark
- The CAPTCHA instructs you to paste something into your computer's terminal or Run dialog
- The page claims your Trezor recovery phrase must be 'verified remotely' due to a security event
How to protect yourself
- Your Trezor seed phrase is entered only on the physical device — this rule has no exceptions
- Navigate to suite.trezor.io using your own bookmark only, never via search ads or email links
- Recognise that a CAPTCHA on a hardware-wallet site is itself unusual and warrants immediate suspicion
- Never paste clipboard content into a terminal as part of any CAPTCHA or verification flow
- If you visited a suspicious site, run a malware scan on your device before reconnecting your Trezor
- Check for genuine Trezor announcements only at trezor.io/blog
How to report it
- Report the phishing URL to Trezor at [email protected]
- Submit the site to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/
- File a report with the FTC at reportfraud.ftc.gov
- Report to IC3.gov (US) or Action Fraud 0300 123 2040 (UK)
- If seed phrase was entered, immediately transfer all funds to a freshly generated wallet on a factory-reset device
Frequently asked questions
Why would a fake site use a CAPTCHA if it is malicious?
CAPTCHAs signal 'this is a secure, legitimate site' to many users. Attackers use them as psychological props to make the page feel trustworthy before introducing the harmful request — entering a seed phrase or running a pasted command.
Is suite.trezor.io safe to use for wallet recovery?
Trezor Suite at suite.trezor.io is the official Trezor web application. During genuine wallet recovery through Suite, you enter seed words on the physical Trezor device — not on the computer screen. If a website is asking you to type seed words into a browser form, regardless of its URL, treat it as malicious.
How do I factory reset my Trezor and set up a new seed phrase?
Instructions are at trezor.io/learn. You can perform a wipe from the Trezor Suite settings menu. After resetting, the device generates a new random seed phrase on its own screen. You write it down on paper — it is never transmitted to any computer.