From Whack-a-Mole to Total Eradication

The world’s original hardware wallet — and one of crypto’s biggest targets

Trezor, created by SatoshiLabs in 2013, invented the cryptocurrency hardware wallet industry. As the world’s original device for securing digital assets offline, Trezor occupies a unique and high-stakes position: its users trust it with the private keys to everything they own in crypto — assets that, once lost, are gone forever. There is no bank to call, no insurance company to file a claim with, no payment reversal possible. In the world of self-custody, security is the entire proposition.

That responsibility extends far beyond the hardware itself. Trezor’s global, fully digital presence makes its brand a permanent target: fake websites, fraudulent social accounts, and rogue domains posing as Trezor technical support are designed with one goal — tricking users into surrendering their recovery seeds. In crypto, that’s the equivalent of handing over every asset you own, permanently.

A Threat Landscape That Was 99% Invisible

Jiri Petrik, Head of IT Security at SatoshiLabs, knew the threat was significant. Fake websites, impersonation domains, and fraudulent social accounts impersonating Trezor support were a constant presence. But without systematic monitoring, the team could only see the cases that surfaced organically — roughly 300 to 400 per year, handled manually by the internal team.

The reality, as Jiri suspected, was far worse. “We were pretty sure that without automation we were only seeing the tip of the iceberg,” he explained. Every case that reached the team required manual investigation, reporting, and follow-up — a process that could take 35 to 40 minutes per incident just for the initial report alone, before any follow-up or resolution. At that rate, the thousands of threats operating undetected were simply impossible to address.

The approach was reactive by necessity, not by choice. And in an industry where the consequences of a single successful phishing attack are permanent and irreversible, reactive was not good enough.

Automation, Integration & End-to-End Execution

Trezor selected PhishFort for its ability to operate as a true extension of the security function — not just a detection tool that generates alerts for the internal team to action, but a service that handles threats end-to-end, from discovery to takedown, with minimal intervention required.

Onboarding was deliberately frictionless. Jiri’s team provided their key brand assets, PhishFort configured monitoring, and within hours the platform was surfacing results and initiating takedowns. Critically, the integration fit into Trezor’s existing workflows without forcing the team to change how they operated. “We just added a small piece of integration and set up the communication channel — and then straight away started taking domains down,” Jiri noted.

The platform’s monitoring scope extended far beyond what the internal team had visibility into: fake websites, lookalike domains, fraudulent social media accounts across platforms, and evolving scam scenarios that mutate daily. PhishFort’s specialised knowledge of the crypto threat environment — the specific tactics, the hosting patterns, the social engineering scripts — meant Trezor gained access to expertise that would be impossible to replicate in-house.

100x More Threats Neutralised, Zero Extra Headcount

The numbers tell a story that the team at Trezor could not have anticipated in full. More than 29,000 fake websites and malicious domains have been taken down through PhishFort — a volume roughly 100 times greater than what the team was previously handling manually. The takedown success rate stands at 99.76%, with an average resolution time of 46 hours.

The operational effect inside the security team has been equally significant. The majority of incidents are now handled entirely by PhishFort without requiring any interaction from Trezor’s side. In practical terms, this means support tickets that previously opened a manual investigation process now frequently arrive to find the relevant domain already offline. The threat is gone before the team even has time to act.

For Jiri and his team, the value is measured not just in takedowns, but in what the team can now focus on instead: broader security initiatives, proactive threat research, and platform resilience — rather than the endless, manual process of reporting individual incidents one by one. As Jiri put it, “If you put 29,000 cases through manual processing, even if you’re very fast and focused only on the reporting itself, it would take more than 20 years.”

In an industry where a user’s entire financial life can be stolen with a single compromised recovery phrase, the stakes of that protection cannot be overstated. PhishFort gives Trezor’s users the confidence that the digital environment around their wallet is being actively defended — across every channel, every day.