Scammers Are Mailing Fake Trezor and Ledger Letters With QR Codes That Lead to Phishing Sites Designed to Steal Users’ Crypto Wallet Recovery Phrases

    Table of Contents

    Image depicting group of scammers trying to hack into trezor and ledger

    Share

    A new campaign is targeting customers of Trezor and Ledger with physical letters that impersonate official compliance notices. The goal is simple: trick recipients into scanning QR codes that lead to phishing websites designed to steal their wallet recovery phrases—and ultimately, their funds.

    Unlike typical email phishing attempts, these letters arrive via postal mail, complete with company-style branding and urgent compliance language.

    Key Takeaways

    • Physical letters impersonating Trezor and Ledger are being used to trick users into scanning QR codes that lead to phishing sites.
    • The fraudulent notices create urgency with compliance deadlines, warning users they could lose wallet functionality if they fail to act.
    • Scanning the QR codes redirects victims to fake setup pages that request 12-, 20-, or 24-word recovery phrases under the guise of authentication checks.
    • Entering a recovery phrase on these phishing sites gives attackers full control of the victim’s crypto wallet and funds.
    • Hardware wallet manufacturers never ask users to share seed phrases, which should only be entered directly on the device itself.

    Snail Mail With a Deadline

    Letters impersonating Trezor

    Multiple hardware wallet users have reported receiving letters that appear to come from the security or compliance teams of Trezor and Ledger. The documents claim that recipients must complete a mandatory “Authentication Check” or “Transaction Check” to avoid disruptions to wallet functionality.

    One letter reviewed by cybersecurity expert Dmitry Smilyanets warned Trezor users that an authentication requirement would soon become compulsory and must be completed before February 15, 2026. The notice instructed recipients to scan a QR code and finalize the process online.

    The letter read:

    “To avoid any disruption to your Trezor Suite access, please scan the QR code with your mobile device and follow the instructions on our website to enable Authentication Check by February 15th, 2026.”

    It further added:

    “Note: While you may have already received the notification on your Trezor device and enabled Authentication Check, completing this process is still required to fully activate the feature and ensure your device is synchronized with the full functionality of Authentication Check.”

    A similar letter aimed at Ledger users circulated on X, warning of a mandatory “Transaction Check” with a compliance deadline of October 15, 2025.

    The consistent theme across both versions is urgency. Recipients are told they risk losing wallet access or facing transaction signing errors if they fail to act in time.

    QR Codes Lead to Fake Setup Pages

    Scanning the QR codes directs users to websites that closely resemble official Trezor or Ledger setup pages. In the Trezor-themed attack, victims were taken to a domain mimicking a legitimate authentication portal.

    The phishing site displayed a notice stating:

    “Complete Authentication Check setup by February 15, 2026 unless you purchased a Trezor Safe 7, Trezor Safe 5, Trezor Safe 3, or Trezor Safe 1 after November 30, 2025. In that case, it is already pre-configured, and no action is needed.”

    Clicking “Get Started” led to further warnings suggesting that failure to comply could result in limited or blocked access, transaction errors, or interruptions to future updates.

    The final step of the process is where the theft occurs. Users are prompted to enter their 12-, 20-, or 24-word recovery phrase, supposedly to verify device ownership and activate the feature.

    In reality, once entered, the seed phrase is transmitted to an attacker-controlled backend endpoint. With that phrase, criminals can import the wallet onto their own device and immediately drain the assets.

    At the time of reporting, the Ledger-themed phishing domain had been taken offline. The Trezor-themed domain was still accessible but flagged as malicious.

    Why Hardware Wallet Users Are Being Targeted

    Recovery phrases — also known as seed phrases — are the master keys to crypto wallets. They are the human-readable representation of the private keys that control access to funds. Anyone who possesses the phrase has full control of the wallet.

    Hardware wallet manufacturers have long warned users never to share these phrases under any circumstances.

    Neither Trezor nor Ledger will ever ask customers to submit, upload, scan, or type their recovery phrase into a website. The only time a seed phrase should be entered is directly on the hardware device itself when restoring a wallet.

    This latest campaign raises questions about how attackers obtained victims’ home addresses. Both companies have experienced data breaches in recent years that exposed customer contact information. While it is unclear whether this campaign is directly linked to those incidents, exposed mailing data would make such targeting possible.

    Postal phishing campaigns remain rare compared to email scams, but they are not unprecedented. In 2021, modified Ledger devices were mailed to users in an attempt to capture recovery phrases during setup. A separate mail-based phishing wave targeting Ledger customers was reported earlier this year.

    A Shift in Tactics

    What makes this campaign particularly concerning is its use of physical mail to create legitimacy. Many users are conditioned to distrust suspicious emails, but fewer expect a phishing attempt delivered through the postal system.

    The use of QR codes also reduces friction. Instead of typing a suspicious web address into a browser, victims simply scan and are redirected automatically.

    Security professionals warn that any communication—whether digital or physical—demanding urgent action and requesting a recovery phrase should be treated as malicious.

    For hardware wallet users, the rule remains unchanged: your recovery phrase is your crypto. If anyone asks for it, it’s a scam.

    As this campaign demonstrates, attackers are willing to invest in printing, postage, and carefully staged phishing sites to obtain it.

    Related posts:

    1. Bankrupt Crypto Lender Genesis Acquires $2.1Bn Worth of BTC, Here’s Why
    2. Shiba Inu SHIB Posts Losses Despite Seeing 144% Surge in Bullish Metric
    3. Genesis Agrees to $2Bn Settlement in ‘Gemini Earn Program’ Fraud Case
    4. The Sandbox Welcomes Kantana to Build the Future of Entertainment in the Metaverse
    5. Tether Has Officially Launched USA₮, a US-Regulated, Dollar-Backed Stablecoin Built for the American Market

    Disclaimer: This article is intended solely for informational purposes and should not be considered trading or investment advice. Nothing herein should be construed as financial, legal, or tax advice. Trading or investing in cryptocurrencies carries a considerable risk of financial loss. Always conduct due diligence before making any trading or investment decisions.

      Recent Posts

      Categories

      Related Post