SatoshiLabs, the company that designs and markets Trezor crypto hardware wallets, has issued a detailed explanation of an incident that led to the posting of fraudulent presale token announcements on its official X account.

The company said the security breach was caused by a phishing attack, not a SIM-swap attack, which it suspected at the time.

SatoshiLabs emphasized that it does not use a mobile device for two-factor authentication, instead opting for more secure methods of authentication.

Despite these precautions, attackers made a series of unauthorized and misleading posts, including requests for users to send funds to an unidentified wallet address alongside harmful links, which sent users to a bogus token presale site.

Independent blockchain sleuth ZachXBT notified his 528,000 followers on X of Trezor’s suspected breach in a March 19 X post.

The official X account of hardware wallet manufacturer Trezor published a series of posts directing users to fraudulent presale token offerings.

Source: Trezor

SatoshiLabs disclosed that it detected unauthorized entry into its X account on March 19. It now suspects it to be a sophisticated and premeditated phishing attack planned by hackers over several weeks.

Once SatoshiLabs became aware of the breach, the deceptive posts were promptly identified and removed, limiting damage. The company said:

“We want to stress here that the security of all our products remains unaffected. This incident has in no way impacted or compromised the security of Trezor hardware wallets or any of our other products.”

Investigations indicate that starting on Feb. 29, the attackers posed as credible entities in the cryptosphere. They maintained a convincing social media presence and engaged in seemingly authentic discussions.

Related: HECO Chain exploiter anonymizes $145M of Ether on Tornado Cash in 8 days

Under the guise of a well-established X account with thousands of followers, the impersonator contacted SatoshiLabs’ public relations team, suggesting an interview with the CEO. Following this, a meeting was arranged, during which the impersonator shared a malicious link disguised as a Calendly calendar invitation.

A team member was prompted for their X login credentials by clicking the calendar link, raising suspicion. However, the meeting was rescheduled. In the next session — pretending to be facing technical issues — the attacker succeeded in linking their Calendly to SatoshiLabs’ X account.

Trezor suffered a security breach in January that exposed the contact information of nearly 66,000 users. According to the firm’s website, the wallet maker has sold over two million hardware wallets since it launched in 2012.

Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story