The team behind the Trezor multi-cryptocurrency wallet service has discovered a phishing attack against some of its users that took place over the weekend.

The Trezor team says “signs point toward DNS poisoning or BGP hijacking” as the means attackers hijacked legitimate traffic meant for the official domain but redirected these users to a malicious server hosting a fake website. An investigation is still underway to determine the exact cause.

Incident spotted after HTTPS certificate error

The incident came to light after users complained that they encountered an invalid HTTPS certificate when landing on Trezor’s web wallet portal.

An invalid certificate usually means that the website on which users landed was not the actual portal, but someone posing as the Trezor website, which could not cryptographically verify itself as the real website.

This error alerted the Trezor community, whose members quickly reported the incident to the Trezor team, who later confirmed the phishing attempt and warned users about the attack on early Sunday morning (US timezones).

Fake website had other problems

The Trezor team said they determined this was a legitimatee phishing attack and not just random SSL server error (which tend to happen some of the time) because they spotted two problems with the fake website.

The first was an error message that was worded differently from the original Trezor site, which told users that syncing data their Trezor hardware wallet and their Trezor web account had failed.

Second, the fake website was asking users to enter a copy of their “recovery seed,” something the…