Snail Mail Scam Targets Trezor, Ledger Crypto Wallets
▼ Summary
– Threat actors are sending physical letters impersonating Trezor and Ledger to trick hardware wallet users into revealing their recovery phrases.
– The fraudulent letters create urgency by claiming a mandatory “Authentication Check” or “Transaction Check” is required to avoid losing wallet functionality.
– Scanning the QR codes in the letters leads to phishing websites designed to steal the victim’s wallet recovery phrase.
– These attacks may be possible due to past data breaches at Trezor and Ledger that exposed customer contact information.
– Legitimate hardware wallet manufacturers will never ask users to enter or share their recovery phrase on a website or external device.
A concerning new scam is targeting cryptocurrency investors who use popular hardware wallets. Criminals are sending physical letters through the mail that impersonate official communications from Trezor and Ledger. These deceptive letters pressure recipients into scanning QR codes that lead to sophisticated phishing websites designed to steal their valuable recovery phrases. This tactic marks a significant escalation from typical email phishing, leveraging the perceived legitimacy of a physical document to bypass digital defenses.
The fraudulent letters are printed on convincing letterhead, claiming to be from the companies’ security or compliance teams. They create a false sense of urgency by stating that a mandatory “Authentication Check” or “Transaction Check” must be completed by a specific deadline to avoid losing access to wallet functionality. One such letter, impersonating Trezor, warned users to act by February 15, 2026. The letters instruct recipients to scan an included QR code with a mobile device to begin the supposed verification process.
Scanning the provided QR code directs victims to fake websites that closely mimic the official setup pages for Trezor or Ledger wallets. These malicious sites continue the ruse, displaying warnings that failure to complete the process could result in blocked access, transaction errors, and disruption of future updates. If a victim proceeds, the final page asks them to enter their wallet’s recovery phrase, the master key to their cryptocurrency holdings, under the guise of verifying device ownership.
Once a user submits their recovery phrase on the phishing site, the information is transmitted directly to the attackers. With this phrase in hand, the criminals can instantly import the victim’s wallet onto their own device and drain all funds. It is suspected that these targeted mailings are possible due to past data breaches at both Trezor and Ledger, which exposed customer contact information like mailing addresses.
This incident serves as a critical reminder of a fundamental security rule. You should never, under any circumstances, share your hardware wallet recovery phrase with anyone. Legitimate companies like Trezor and Ledger will never ask you to enter, scan, or submit your seed phrase on a website, computer, or mobile device. A recovery phrase should only ever be entered directly onto the physical hardware wallet itself during a restoration process. Any request for this information, whether via email, text, or even postal mail, is a definitive sign of a scam.
(Source: Bleeping Computer)
