Focused guide

Ice Phishing EIP-712 Signature Scams Impersonating Trezor

Fake Trezor Suite 'security verification' pages present EIP-712 structured-data signing requests that grant attackers sweeping token approval rights, exploiting trust in Trezor's hardware-verified signing model.

Part of: Ice Phishing and EIP-712 Signature Scams

Last reviewed: 8 June 2026

Trezor hardware wallets support EIP-712 structured-data signing through Trezor Suite, allowing users to sign messages for Web3 applications with the additional security of hardware confirmation. Scammers exploit this feature by creating fake 'Trezor Suite Security Verification' pages that look like official Trezor flows and instruct users to sign an EIP-712 message to 'verify wallet ownership' or 'complete firmware validation.'

Victims who have experienced genuine Trezor-hardware EIP-712 signing flows may recognize the popup format and proceed without reading the actual message data carefully. The surrounding Trezor branding and instructions such as 'confirm on your Trezor device' (which does not actually occur) lower suspicion.

Trezor does not require users to sign EIP-712 messages on any external website for security verification or firmware updates. Firmware updates are performed exclusively within the Trezor Suite desktop application, and the device displays the exact update details on its own screen.

How this scam works on the Trezor brand

Victims arrive at the fake Trezor security page via a phishing email warning of 'unrecognized firmware activity on your Trezor device,' or through a search engine ad for 'Trezor Suite download.' The page presents a step-by-step 'device verification' flow that ends with a MetaMask or WalletConnect EIP-712 signing request.

The structured data shows fields such as 'verifier': '[Trezor branding]', 'nonce': '[random number]', and — crucially — 'spender': '[attacker address]' and 'allowance': '[maximum uint256].' Most users accept the request assuming the Trezor branding validates the safety of the signature.

After signing, the attacker submits the permit to ERC-20 contracts and drains the victim's token holdings. The actual Trezor hardware device is not involved in this flow at any point; if a genuine Trezor confirmation were requested, the device screen would show the full message data, giving the user a chance to spot the malicious fields.

Common red flags

Email or page claims your Trezor device has unrecognized activity requiring an EIP-712 'verification signature'
The signing request arrives through MetaMask or another software wallet — not through Trezor Suite connected to your hardware device
EIP-712 message contains 'spender' and 'allowance' fields with large values and an unknown contract address
Page claims your Trezor hardware device 'will prompt for confirmation' but no device screen prompt occurs
URL is not trezor.io — uses lookalike domains incorporating 'trezor' and 'suite' or 'security'
Signing process appears on an external website rather than within the Trezor Suite desktop application

How to protect yourself

Use Trezor Suite for all hardware wallet operations — never interact with supposed Trezor security pages on external websites
Read every EIP-712 signing request fully, particularly the 'spender' and 'allowance' fields, before confirming
If the page claims your hardware device will prompt for confirmation but no Trezor screen appears, immediately reject the signing request
Use a transaction-simulation extension to preview the effect of any signature before approving
Perform firmware updates exclusively from within Trezor Suite — never from a website

How to report it

Report the phishing site to Trezor at [email protected]
Submit the domain to MetaMask's community phishing list and Google Safe Browsing
File a complaint with IC3.gov (US) or Action Fraud (UK)
Notify the r/TREZOR community to help protect other users

Frequently asked questions

Can I verify an EIP-712 message on my Trezor device screen?

Yes. When your Trezor hardware is genuinely connected through Trezor Suite, EIP-712 messages are displayed on the device screen for confirmation. If you do not see the message on your device but the browser is asking you to sign, the Trezor is not involved and you should reject the request.

How do I perform a genuine Trezor firmware update?

Open the Trezor Suite desktop application at suite.trezor.io/web or the downloaded desktop version, connect your Trezor device, and follow the in-application update prompts. The device itself will display update details for confirmation. No external web page is required.

How this scam works on the Trezor brand

Common red flags

Email or page claims your Trezor device has unrecognized activity requiring an EIP-712 'verification signature'

The signing request arrives through MetaMask or another software wallet — not through Trezor Suite connected to your hardware device

EIP-712 message contains 'spender' and 'allowance' fields with large values and an unknown contract address

Page claims your Trezor hardware device 'will prompt for confirmation' but no device screen prompt occurs

URL is not trezor.io — uses lookalike domains incorporating 'trezor' and 'suite' or 'security'

Signing process appears on an external website rather than within the Trezor Suite desktop application

How to protect yourself

Use Trezor Suite for all hardware wallet operations — never interact with supposed Trezor security pages on external websites

Read every EIP-712 signing request fully, particularly the 'spender' and 'allowance' fields, before confirming

If the page claims your hardware device will prompt for confirmation but no Trezor screen appears, immediately reject the signing request

Use a transaction-simulation extension to preview the effect of any signature before approving

Perform firmware updates exclusively from within Trezor Suite — never from a website

Frequently asked questions

Can I verify an EIP-712 message on my Trezor device screen?

How do I perform a genuine Trezor firmware update?