Supply-Chain Firmware Attack: A Tampered Trezor From Amazon

The Amazon listing that looked official

February 2025. A holder in Denver searches "Trezor Safe 3" on Amazon. The top result is "Sold by TrezorOfficialStore, Ships from Amazon." Price is full MSRP. He buys it. The device arrives in shrink-wrapped Trezor packaging. He initializes it, generates a new seed, funds it with $63,000 in BTC. Six weeks later, slow-drip withdrawals start — small amounts, evenly spaced, to addresses he doesn't recognize. Total loss over 30 days: $58,000.

How supply-chain attacks differ from secondhand traps

A supply-chain attack tampers with the device's firmware or its random number generator before the user sees it. The device generates "fresh" seed phrases on first boot — but the seed-generation process has been backdoored. The seed is in a deterministic range the operator can brute-force, or the device transmits the seed via a side channel during first connection to a computer.

This attack is rare but documented. The 2024 SatoshiLabs disclosure of a "compromised distributor" incident covered exactly this pattern — devices that passed visual inspection but had altered firmware.

The four-layer defense

• Buy from the manufacturer's own website. Period. Amazon, even with "Sold by Trezor," has been gamed. The "Sold by" name can be a registered seller name that mimics the manufacturer. The shipping warehouse is Amazon's, but the goods came from a third party.
• Verify firmware signature on first boot. Trezor Suite checks the firmware signature against the manufacturer's published key on every connection. If Suite shows a warning, do not proceed — return the device.
• Run a "dust test" before funding seriously. Send $50 to the device, hold it for 48 hours, then check the address on a block explorer. If anything looks unusual — unexpected outgoing tx, pending mempool tx, address registered as part of a known drainer cluster — you have lost $50, not $50,000.
• Use a passphrase on top of the seed phrase. A BIP-39 passphrase (the "25th word") is something only you know, never written down on the seed card. Even if the seed is compromised at the supply-chain level, the passphrase makes the derived addresses unreachable.

The economic frame

A hardware wallet costs $80–250. The portfolio it secures might be $50K–$5M. Save $30 by buying through Amazon, expose yourself to a class of attacks that cannot be detected without forensic tools. The risk-adjusted price of buying from the manufacturer is the cheapest decision in the entire custody workflow.