Du kannst diesen Artikel auch auf Deutsch lesen.

When it comes to your cryptocurrencies, the BitBox02 hardware wallet goes to extreme lengths to secure them against all conceivable threats. Your keys are created on the device and never leave it, except when you create a backup. This means that your backup, which allows you to restore your whole wallet including all funds in a different wallet, needs to be kept secure.

As an attacker, it is much easier to go for the backup than trying to breach the BitBox02. Getting access to it physically is also quite difficult, but what if they would just ask you to hand it over yourself? “Impossible!” you might say, but that’s exactly what scam emails are doing. They use every psychological trick in the book. And at scale, they are succeeding.

Within the last few months, we became aware of two scam emails using the BitBox layout. Scammers will try to continue making a quick buck, so it’s important to understand how these scam emails work in general. In this article, we provide information on the general anatomy of such scams, how you can identify fraudulent emails, and one simple rule that will keep your bitcoin safe.

Let's walk through this together. Your security is, and always will be, our top priority.

Understanding the scam

The world of digital money is accustomed to low-tech scams, often known as phishing attacks. The term “phishing” comes from “fishing”: casting a wide net in the hope to reel in a few victims. Email makes this easy, as there is no significant cost to sending a scam email to millions of people. And if the scam succeeds just with a few of them, the rewards might be significant.

Phishing scams operate on deception. In the two cases we’ve seen related to BitBox, the scammers have been sending out emails that mimic official BitBox communications. These emails are designed to look genuine, leveraging the trust you place in us to manipulate your actions. They may mirror our newsletter layout and use similar language, all in an attempt to convince you that they're authentic.

Clearly fake: a program asks for your recovery words. The BitBoxApp would NEVER do that.

The objective of these scam emails is to trick you into downloading a malicious version of the BitBoxApp. This app is a trojan horse, appearing legitimate on the surface while hiding malicious intent. For example, the fake “BitBoxApp” might at one point ask you to enter your backup recovery words, which it then sends back to the attacker. With your recovery words, they have full control over your wallet and can clean it out.

This brings us to the one golden rule:

Never enter your wallet backup on any other device than the BitBox02.

This rule is valid for both BitBox backup methods:

  • microSD card: never put it into any other device than the BitBox02
  • Recovery words: only enter them directly on the BitBox02, and never expose them to any other device (e.g., by storing them in a password manager, or taking a picture with your phone)

Identifying malicious emails


Phishing emails can be crafty, but there are signs to help you spot them:

  1. Look at the sender's email: BitBox emails come from our official internet domain @bitbox.swiss (and formerly @shiftcrypto.ch). If the sender's address is different or looks weird, be cautious.
  2. Check for bad grammar and spelling: We care about communication. Emails from BitBox are usually well-written. If an email has lots of errors, it might be a scam.
  3. Beware of urgent action requests: If an email asks you to act quickly or else something bad will happen, it might be a trick. We'll never pressure you to make quick decisions about your security. If something urgent ever should come up, we’d strive to provide context by linking to a blog post. In cases like this, it’s always good to be careful and verify email information through additional sources.
  4. Double-check links and attachments: Don't click on links or download attachments from emails you weren't expecting. They could be harmful.
  5. Watch for requests for personal info: BitBox will NEVER ask you for your 24 recovery words or backup details. EVER.
Clearly fake: a scam email from a dubious email address, even though it looks like a like a BitBox email

Remember: if an email seems suspicious, trust your gut and reach out to us at [email protected]. It's better to be safe than sorry.

What about real BitBox emails?

We value direct communication with our users through many different channels. The best way to stay up to date is our newsletter. About every two weeks, we send out an email highlighting articles, events, product updates, and special BitBox offers.

When we mention a new BitBox release, it’s important to not just trust this information blindly and install an update without checking its origin. That’s good advice in general with everything on the internet.

The following security principal helps you to securely update the BitBoxApp:

  • We don’t link directly to installation files. When we write about a new update in the BitBox News, we always link to a release blog post on our official blog at https://bitbox.swiss/blog.
  • Make sure that you download from our official website. The easiest way to make sure you are on the official BitBox website is to enter the internet address manually. You can also check that the connection is secure by clicking on the little lock next to the address in your browser.

What to do if you receive a scam email

Scam phishing emails only become a threat once you act on them. So if you receive one, you don’t need to do anything. Just delete the email and go on living your life.

Sometimes it might be unclear whether an email is a scam. Use the five checks from the previous section to evaluate the email. Most are really easy to spot.

If you are still unsure, for example because the message is threatening or makes you unsure if your funds are still safe if you don’t act, please forward the email with your questions to [email protected]. We can check if it’s real or a scam and are happy to assist.

Remember, it's better to be safe than sorry. Always report anything that seems suspicious and we'll help you figure out what to do.

Don’t own a BitBox yet?

Keeping your crypto secure doesn't have to be hard. The BitBox02 hardware wallet stores the private keys for your cryptocurrencies offline. So you can manage your coins safely.

The BitBox02 also comes in Bitcoin-only version, featuring a radically focused firmware: less code means less attack surface, which further improves your security when only storing Bitcoin.

Grab one in our shop!

Frequently Asked Questions (FAQ)

What are phishing attacks in the context of bitcoin?
Phishing attacks, often related to digital money like bitcoin, involve scammers sending deceptive emails to trick recipients into revealing sensitive information.

How do phishing emails operate?
These emails mimic official BitBox communications, leveraging trust to manipulate actions. They might look genuine, but their goal is to deceive users into downloading malicious versions of the BitBoxApp.

What's the golden rule to keep my bitcoin safe from scams?
Never enter your wallet backup on any device other than the BitBox02. This includes both microSD card backups and recovery words.

How can I identify malicious emails?
Check the sender's domain, look for grammatical errors, be wary of urgent action requests, avoid unexpected links or attachments, and remember BitBox will never ask for your 24 recovery words.

Shift Crypto is a privately-held company based in Zurich, Switzerland. Our team of Bitcoin contributors, crypto experts, and security engineers builds products that enable customers to enjoy a stress-free journey from novice to mastery level of cryptocurrency management. The BitBox02, our second generation hardware wallet, lets users store, protect, and transact Bitcoin and other cryptocurrencies with ease - along with its software companion, the BitBoxApp.