Verify a decision
Every moderation decision on AVOID.NET is anchored to the Solana blockchain. You don't have to trust us — you can verify cryptographically that we committed to a verdict at a specific moment and have not rewritten it.
How verification works
- We commit. When a moderator accepts/rejects a submission, we serialize the decision into deterministic UTF-8 bytes (
payload_canonical_string), hash it with SHA-256, encode the digest as base58, and write it to Solana inside an SPL Memo v2 transaction. - We store the bytes. The exact bytes we hashed are stored alongside the decision in our database. Anyone can read them and recompute the hash in any language.
- You compare three values. Database hash, your independently-recomputed hash, and the hash inside the on-chain memo. If all three match, the decision is authentic and timestamped.
The on-chain memo format is
AVOID.NET|v1|h:<b58-sha256>|d:<id>|t:<iso>Find a signature on any investigation page's decision log, or run python -m src.verify_decision --signature <sig> for a CLI check.
Decision
- Sequence
- #1
- Score
- →
- Cluster
- mainnet-beta
- Slot
- 430187810
- Off-chain at
- 2026-07-01T23:09:54.412Z
- Anchored at
- —
- Block time
- —
Independent verification
- 1. Database (off-chain)
- Br6aQYVjxbUCEs3LgeixpwxAaaasMATmXHCdB6KCYtTM
- 2. Recomputed (your browser)
- computing…
- 3. On-chain (Solana memo)
- fetching…
Canonical bytes hashed (22054 chars)
{"actor":"system:backfill","investigation_id":"613516de-3e59-4110-bc78-249afc6bfd7b","kind":"publish","page_slug":"fake-trezor-support-social-engineering-282m-heist","published_at":"2026-07-01T23:09:54.341Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Fake Trezor Support Social Engineering — $282M Heist","sections":[{"content":"At approximately 23:00 UTC on January 10, 2026, an unknown individual lost approximately 1,459 Bitcoin (valued at roughly $139 million) and 2.05 million Litecoin (valued at roughly $153 million), totalling approximately $282 million. The theft was first publicly flagged by blockchain investigator ZachXBT. Security firm ZeroShadow subsequently identified the attack vector: the attacker had impersonated customer support representatives for a fabricated Trezor product called 'Value Wallet,' and through social engineering convinced the victim to disclose their hardware wallet's 24-word seed phrase. Possession of the seed phrase grants unconditional, irrevocable access to all funds associated with the wallet. The incident is confirmed as the largest individual social engineering cryptocurrency theft on record as of mid-2026.","heading":"Incident Overview","severity":"critical","sources":[{"credibility":1,"name":"Hacker steals $282 million crypto from a victim in social-engineering attack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/01/16/hacker-steals-usd282-milion-in-hardware-wallet-social-engineering-attack"},{"credibility":1,"name":"Crypto User Loses $282M in Bitcoin, Litecoin in Social Engineering Attack — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/crypto-user-loses-282m-bitcoin-litecoin-social-engineering-attack"},{"credibility":2,"name":"ZachXBT Highlights $282M Theft of Bitcoin and Litecoin in Hardware Wallet Scam — The Defiant","type":"news_article","url":"https://thedefiant.io/news/defi/zachxbt-highlights-usd282m-theft-of-bitcoin-and-litecoin-in-hardware-wallet-scam"}]},{"content":"The attacker employed a brand-impersonation social engineering technique. They posed as support staff for a Trezor product called 'Value Wallet' — a product that does not exist — contacting the victim and creating a false sense of urgency around an alleged issue with the victim's wallet. The victim was then persuaded to disclose their 24-word BIP-39 seed phrase, which constitutes the master cryptographic backup for a hardware wallet. Trezor's own published security guidance explicitly states that 'any request for your wallet backup, PIN, passwords, or codes is always a scam' and that 'Trezor will never contact you about your wallet backup or ask you to perform actions with your wallet.' No technical exploit of Trezor hardware or software was involved. The attack relied entirely on human deception. ZachXBT confirmed that the attacker was not linked to North Korean state-sponsored threat actors (i.e., the Lazarus Group), dismissing early speculation in that direction.","heading":"Attack Vector: Seed Phrase Social Engineering","severity":"critical","sources":[{"credibility":2,"name":"$282M Bitcoin and Litecoin Stolen After Victim Falls for Fake Wallet Support — FinanceFeeds","type":"news_article","url":"https://financefeeds.com/282m-bitcoin-and-litecoin-stolen-after-victim-falls-for-fake-wallet-support/"},{"credibility":1,"name":"Common scams and phishing affecting Trezor users — Trezor Official","type":"official","url":"https://trezor.io/learn/security-privacy/personal-security-standards/scams-and-phishing"},{"credibility":2,"name":"The $300 million 'Value Wallet' support scam — BV Insights","type":"news_article","url":"https://bitcoinvn.io/insights/value-wallet-support-scam/"},{"credibility":2,"name":"Crypto User Loses $282M in Bitcoin & Litecoin to Social Engineering Hack — Bitcoinist","type":"news_article","url":"https://bitcoinist.com/crypto-user-lose-282m-in-social-engineering-attack/"}]},{"content":"Following the theft, the attacker rapidly laundered the stolen assets through a multi-layered process. Significant portions of the stolen Bitcoin were bridged across blockchain networks via ThorChain, a decentralized cross-chain liquidity protocol, converting BTC into Ethereum, XRP, and Litecoin to fragment and obscure the asset trail. The attacker then converted large portions of the stolen funds into Monero (XMR) through multiple instant exchange platforms. Monero is a privacy-focused cryptocurrency using ring signatures, stealth addresses, and RingCT that renders transactions effectively untraceable on its blockchain. The scale of the conversion caused a significant market impact on XMR: Monero's price surged approximately 70–80% in the days following the theft, reaching a reported peak of approximately $797–$800 — an all-time high for XMR. ZeroShadow, monitoring fund flows in real time after being alerted by blockchain monitoring teams, was able to freeze approximately $700,000 worth of assets within approximately 20 minutes of the theft before conversion to privacy coins was complete. The overwhelming majority of the $282 million in stolen funds was successfully converted to Monero and is considered unrecoverable.","heading":"Money Laundering: ThorChain, Instant Exchanges, and Monero Conversion","severity":"critical","sources":[{"credibility":1,"name":"Hacker steals $282 million crypto from a victim in social-engineering attack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/01/16/hacker-steals-usd282-milion-in-hardware-wallet-social-engineering-attack"},{"credibility":2,"name":"Monero Stalls Post-ATH: How a $282M Social Engineering Scam Fueled XMR's Rally — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/monero-stalls-post-ath-how-a-282m-social-engineering-scam-fueled-xmrs-rally/"},{"credibility":3,"name":"ZachXBT: Whale Hardware Wallet Loses $282M, Funds Laundered into Monero — Ainvest","type":"news_article","url":"https://www.ainvest.com/news/zachxbt-whale-hardware-wallet-loses-282m-social-engineering-scam-funds-laundered-monero-privacy-coin-surges-60-2601/"},{"credibility":2,"name":"$282M Bitcoin and Litecoin Stolen After Victim Falls for Fake Wallet Support — FinanceFeeds","type":"news_article","url":"https://financefeeds.com/282m-bitcoin-and-litecoin-stolen-after-victim-falls-for-fake-wallet-support/"}]},{"content":"The January 10, 2026 theft surpassed the previous record for the largest individual social engineering crypto theft, which had been set on August 19, 2024, when a creditor of defunct trading firm Genesis lost $243 million in Bitcoin (4,064 BTC). In the 2024 Genesis-creditor case, the attackers impersonated Google support staff, then Gemini exchange support, to socially engineer the victim into resetting two-factor authentication and surrendering wallet access. That case resulted in arrests: Malone Lam (20, of Singapore) and Jeandiel Serrano (21, of Los Angeles) were charged by the U.S. Department of Justice in September 2024 with conspiring to steal and launder cryptocurrency. A further individual was subsequently reported by ZachXBT as likely arrested in Dubai. No arrests have been reported in connection with the January 2026 $282 million theft as of mid-2026.","heading":"Historical Context: Record-Breaking Theft","severity":"high","sources":[{"credibility":1,"name":"Police Arrest Two People Related to $243M Crypto Heist Targeting Genesis Creditor — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2024/09/19/police-arrests-two-people-related-to-243m-crypto-heist-targeting-genesis-creditor"},{"credibility":2,"name":"User loses $282M in one of the largest social engineering crypto heists — TradingView / CoinTelegraph","type":"news_article","url":"https://www.tradingview.com/news/cointelegraph:d2aa4642d094b:0-user-loses-282m-in-one-of-the-largest-social-engineering-crypto-heists/"}]},{"content":"As of mid-2026, no suspect identity has been publicly disclosed in connection with the January 10, 2026 theft. ZachXBT publicly stated that the attacker was not linked to North Korea or any known state-sponsored threat actor, directly addressing speculation that circulated online following the disclosure. Security firm ZeroShadow traced and attributed approximately $2 million of funds, but the bulk of the stolen assets were converted to Monero, which by design does not maintain a publicly auditable blockchain, making further on-chain attribution extremely difficult. No law enforcement agency has publicly announced an investigation into or charges related to this incident as of the time of writing.","heading":"Suspect Status and Attribution","severity":"high","sources":[{"credibility":1,"name":"Crypto User Loses $282M in Bitcoin, Litecoin in Social Engineering Attack — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/crypto-user-loses-282m-bitcoin-litecoin-social-engineering-attack"},{"credibility":2,"name":"Crypto User Loses $282M In Social Engineering Attack — Bitcoinist","type":"news_article","url":"https://bitcoinist.com/crypto-user-lose-282m-in-social-engineering-attack/"},{"credibility":2,"name":"The $300 million 'Value Wallet' support scam — BV Insights","type":"news_article","url":"https://bitcoinvn.io/insights/value-wallet-support-scam/"}]},{"content":"The January 2026 theft was not an isolated incident. In February 2026, a parallel campaign emerged in which physical letters were mailed to known Trezor and Ledger hardware wallet users, impersonating official company communications. These letters — printed on realistic branded letterhead — claimed recipients must complete a mandatory 'Authentication Check' or 'Transaction Check' by a specified deadline (one letter cited February 15, 2026) or risk losing wallet access. Letters directed victims to scan QR codes leading to fraudulent domains such as 'trezor.authentication-check.io,' where users were prompted to enter their seed phrases. BleepingComputer and CCN reported on this campaign in February 2026. Security researchers noted the letters likely exploited personal data exposed in prior hardware wallet manufacturer data breaches, which had leaked customer names and mailing addresses. Both Trezor and Ledger have experienced significant customer data breaches in recent years. Neither company initiates contact with customers requesting seed phrases through any channel.","heading":"Broader Hardware Wallet Impersonation Threat Wave","severity":"high","sources":[{"credibility":1,"name":"Snail mail letters target Trezor and Ledger users in crypto-theft attacks — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/snail-mail-letters-target-trezor-and-ledger-users-in-crypto-theft-attacks/"},{"credibility":2,"name":"Ledger and Trezor Users Security Alert: Seed Phrase Phishing Attempts Sent by Mail — CCN","type":"news_article","url":"https://www.ccn.com/news/crypto/ledger-trezor-security-alert-seed-phrase-phishing-by-mail/"},{"credibility":2,"name":"Ledger and Trezor Users Targeted in Sophisticated Physical Mail Scam — Bitcoin News","type":"news_article","url":"https://bitcoinnews.com/p/ledger-trezor-users-physical-mail-scam"},{"credibility":2,"name":"Fake Trezor, Ledger letters target crypto wallet recovery phrases — Crypto.news","type":"news_article","url":"https://crypto.news/crypto-hackers-target-trezor-ledger-users-in-theft/"}]},{"content":"The victim has not been publicly identified. The scale of the holdings — approximately 1,459 BTC and 2.05 million LTC stored on a single hardware wallet — indicates the victim was a high-net-worth individual or institution with significant cryptocurrency wealth. The simultaneous holding of large quantities of both Bitcoin and Litecoin across what appears to be a single seed-phrase-derived wallet suggests the assets were managed under a single seed, amplifying the catastrophic impact of the compromise. No government or law enforcement agency has confirmed the victim's identity, nationality, or jurisdiction.","heading":"Victim and Asset Profile","severity":"medium","sources":[{"credibility":2,"name":"Crypto User Loses $282M in Bitcoin and Litecoin to Social Engineering Scam — Brave New Coin","type":"news_article","url":"https://bravenewcoin.com/insights/crypto-user-loses-282-million-in-bitcoin-and-litecoin-to-social-engineering-scam"},{"credibility":2,"name":"$282M Bitcoin and Litecoin Stolen After Victim Falls for Fake Wallet Support — FinanceFeeds","type":"news_article","url":"https://financefeeds.com/282m-bitcoin-and-litecoin-stolen-after-victim-falls-for-fake-wallet-support/"}]},{"content":"Trezor's official security documentation states that Trezor will never contact users to request their seed phrase, wallet backup, PIN, or any other credential under any circumstances. Any such request — whether by phone, email, social media, physical letter, or any other channel — should be treated as a scam and reported. Seed phrases should only ever be entered directly on the hardware wallet device during wallet restoration. They should never be entered on any website, computer, or mobile device, and should never be shared verbally or in writing with any party. Users who believe they have been contacted by a fraudulent support representative should not engage and should report the contact to the legitimate manufacturer. ZeroShadow's response in this incident, while it recovered approximately $700,000 out of $282 million within 20 minutes, demonstrates that real-time monitoring can limit marginal losses but cannot prevent the bulk of theft once a seed phrase has been disclosed.","heading":"Protective Guidance","severity":"high","sources":[{"credibility":1,"name":"Common scams and phishing affecting Trezor users — Trezor Official","type":"official","url":"https://trezor.io/learn/security-privacy/personal-security-standards/scams-and-phishing"},{"credibility":2,"name":"The $300 million 'Value Wallet' support scam — BV Insights","type":"news_article","url":"https://bitcoinvn.io/insights/value-wallet-support-scam/"}]}],"sources_used":[{"credibility":1,"name":"Hacker steals $282 million crypto from a victim in social-engineering attack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/01/16/hacker-steals-usd282-milion-in-hardware-wallet-social-engineering-attack"},{"credibility":1,"name":"Crypto User Loses $282M in Bitcoin, Litecoin in Social Engineering Attack — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/crypto-user-loses-282m-bitcoin-litecoin-social-engineering-attack"},{"credibility":2,"name":"ZachXBT Highlights $282M Theft of Bitcoin and Litecoin in Hardware Wallet Scam — The Defiant","type":"news_article","url":"https://thedefiant.io/news/defi/zachxbt-highlights-usd282m-theft-of-bitcoin-and-litecoin-in-hardware-wallet-scam"},{"credibility":2,"name":"Victim Loses $282M in Bitcoin and Litecoin to Hardware Wallet Scam — CryptoNews (via Yahoo Finance)","type":"news_article","url":"https://finance.yahoo.com/news/victim-loses-282m-bitcoin-litecoin-185821837.html"},{"credibility":2,"name":"$282M Bitcoin and Litecoin Stolen After Victim Falls for Fake Wallet Support — FinanceFeeds","type":"news_article","url":"https://financefeeds.com/282m-bitcoin-and-litecoin-stolen-after-victim-falls-for-fake-wallet-support/"},{"credibility":2,"name":"Crypto User Loses $282M In Social Engineering Attack — Bitcoinist","type":"news_article","url":"https://bitcoinist.com/crypto-user-lose-282m-in-social-engineering-attack/"},{"credibility":2,"name":"Crypto User Loses $282 Million in Bitcoin and Litecoin to Social Engineering Scam — Brave New Coin","type":"news_article","url":"https://bravenewcoin.com/insights/crypto-user-loses-282-million-in-bitcoin-and-litecoin-to-social-engineering-scam"},{"credibility":2,"name":"Monero Stalls Post-ATH: How a $282M Social Engineering Scam Fueled XMR's Rally — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/monero-stalls-post-ath-how-a-282m-social-engineering-scam-fueled-xmrs-rally/"},{"credibility":3,"name":"ZachXBT: Whale Hardware Wallet Loses $282M, Funds Laundered into Monero — Ainvest","type":"news_article","url":"https://www.ainvest.com/news/zachxbt-whale-hardware-wallet-loses-282m-social-engineering-scam-funds-laundered-monero-privacy-coin-surges-60-2601/"},{"credibility":2,"name":"The $300 million 'Value Wallet' support scam — BV Insights","type":"news_article","url":"https://bitcoinvn.io/insights/value-wallet-support-scam/"},{"credibility":1,"name":"Police Arrest Two People Related to $243M Crypto Heist Targeting Genesis Creditor — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2024/09/19/police-arrests-two-people-related-to-243m-crypto-heist-targeting-genesis-creditor"},{"credibility":1,"name":"Snail mail letters target Trezor and Ledger users in crypto-theft attacks — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/snail-mail-letters-target-trezor-and-ledger-users-in-crypto-theft-attacks/"},{"credibility":2,"name":"Ledger and Trezor Users Security Alert: Seed Phrase Phishing Attempts Sent by Mail — CCN","type":"news_article","url":"https://www.ccn.com/news/crypto/ledger-trezor-security-alert-seed-phrase-phishing-by-mail/"},{"credibility":2,"name":"Ledger and Trezor Users Targeted in Sophisticated Physical Mail Scam — Bitcoin News","type":"news_article","url":"https://bitcoinnews.com/p/ledger-trezor-users-physical-mail-scam"},{"credibility":1,"name":"Common scams and phishing affecting Trezor users — Trezor Official","type":"official","url":"https://trezor.io/learn/security-privacy/personal-security-standards/scams-and-phishing"},{"credibility":2,"name":"$282M stolen via hardware wallet scam — Cybernews","type":"news_article","url":"https://cybernews.com/crypto/phishing-social-engineering-attack-hardware-wallet-282m-crypto-theft/"},{"credibility":2,"name":"ZachXBT Reveals $282M Bitcoin and Litecoin Theft from Hardware Wallet Scam — Coin Edition","type":"news_article","url":"https://coinedition.com/zachxbt-reveals-282m-bitcoin-and-litecoin-theft-from-hardware-wallet-scam/"},{"credibility":2,"name":"Fake Trezor, Ledger letters target crypto wallet recovery phrases — Crypto.news","type":"news_article","url":"https://crypto.news/crypto-hackers-target-trezor-ledger-users-in-theft/"}],"summary":"On January 10, 2026, an unidentified victim lost approximately $282 million in Bitcoin and Litecoin after an attacker impersonating Trezor 'Value Wallet' customer support convinced the victim to disclose their 24-word seed phrase, granting the attacker complete wallet access. This is the largest individual social engineering crypto theft ever recorded, surpassing the previous record of $243 million set in August 2024. Stolen funds were laundered through ThorChain, multiple instant exchanges, and converted predominantly into Monero, causing XMR to surge up to 80% in the days following the incident; no suspect has been publicly identified and full recovery is considered extremely unlikely.","timeline":[{"date":"2024-08-19","event":"Previous record set: a Genesis creditor loses $243 million in Bitcoin (4,064 BTC) via social engineering, with attackers impersonating Google and Gemini support. This case results in two DOJ indictments in September 2024.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2024/09/19/police-arrests-two-people-related-to-243m-crypto-heist-targeting-genesis-creditor"},{"date":"2026-01-10","event":"At approximately 23:00 UTC, an unknown victim loses approximately 1,459 BTC (~$139M) and 2.05 million LTC (~$153M) after disclosing their 24-word seed phrase to an attacker impersonating Trezor 'Value Wallet' customer support. Total loss: ~$282 million.","source":"CoinDesk / ZachXBT / ZeroShadow","source_url":"https://www.coindesk.com/business/2026/01/16/hacker-steals-usd282-milion-in-hardware-wallet-social-engineering-attack"},{"date":"2026-01-10","event":"Within approximately 20 minutes of the theft, ZeroShadow identifies the attack in real time and freezes approximately $700,000 worth of assets before they can be converted to Monero.","source":"FinanceFeeds / Bitcoinist","source_url":"https://financefeeds.com/282m-bitcoin-and-litecoin-stolen-after-victim-falls-for-fake-wallet-support/"},{"date":"2026-01-10","event":"The attacker begins laundering stolen BTC through ThorChain, bridging to Ethereum, XRP, and Litecoin, while converting the bulk of stolen funds to Monero (XMR) through multiple instant exchanges.","source":"CoinDesk / FinanceFeeds","source_url":"https://www.coindesk.com/business/2026/01/16/hacker-steals-usd282-milion-in-hardware-wallet-social-engineering-attack"},{"date":"2026-01-14","event":"Monero (XMR) reaches an all-time high of approximately $797–$800, a surge of approximately 70–80% from pre-theft price levels, as market liquidity absorbs the large-scale conversion of stolen assets.","source":"Bitcoin.com News / Ainvest","source_url":"https://news.bitcoin.com/monero-stalls-post-ath-how-a-282m-social-engineering-scam-fueled-xmrs-rally/"},{"date":"2026-01-16","event":"CoinDesk and other major outlets publish detailed reporting on the theft, citing ZachXBT's analysis and ZeroShadow's findings. ZachXBT publicly excludes North Korean state-sponsored actors as suspects.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2026/01/16/hacker-steals-usd282-milion-in-hardware-wallet-social-engineering-attack"},{"date":"2026-02-16","event":"A separate but related hardware wallet impersonation campaign surfaces: physical letters sent via postal mail to Trezor and Ledger customers, impersonating official company communications and directing recipients to scan QR codes leading to seed-phrase phishing sites.","source":"BleepingComputer","source_url":"https://www.bleepingcomputer.com/news/security/snail-mail-letters-target-trezor-and-ledger-users-in-crypto-theft-attacks/"}]},"v":1}