Scammers Send Fake Letters to Trezor and Ledger Wallet Users

Crypto Phishers Target Trezor and Ledger Users with Physical Mail Again

Scammers in the cryptocurrency space are once more resorting to traditional postal mail to deceive users of popular hardware wallets from Trezor and Ledger. This tactic is not new, as cybercriminals have previously exploited data breaches suffered by these companies several years back to obtain mailing addresses and launch targeted attacks.

Owners of these secure hardware devices, which are designed to safeguard cryptocurrency assets offline, have recently started sharing accounts of receiving suspicious letters in their mailboxes. These messages are carefully crafted to mimic official communications from the wallet manufacturers, with the ultimate goal of tricking recipients into compromising their most critical security information: the seed recovery phrases.

These seed phrases, typically consisting of 12 or 24 random words, serve as the master key to accessing funds stored in a cryptocurrency wallet. If a scammer gains access to this information, they can fully control the victim’s assets, transferring them to their own addresses without any possibility of recovery.

Early Detection by Cybersecurity Expert

One of the initial individuals to raise the alarm was cybersecurity specialist Dmitry Smilyanets. On February 13, he publicly shared details about a fraudulent letter purporting to be from Trezor. The document urgently instructed recipients to complete an “Authentication Check” by February 15, threatening device restrictions if they failed to comply within the deadline.

Smilyanets highlighted several red flags in the letter’s design, including the presence of a convincing hologram sticker and a QR code. When scanned, the QR code directs users to a counterfeit website mimicking Trezor’s official interface. Adding to the deception, the letter appeared to bear the signature of Matěj Žák, falsely identified as the “Ledger CEO.” In reality, Matěj Žák holds the CEO position at Trezor, not Ledger, which is another clear indicator of the forgery.

This incident echoes a previous report from October, where a Ledger customer described receiving an analogous letter. That version insisted on performing essential “Transaction Check” steps, employing similar pressure tactics to prompt immediate action from unsuspecting victims.

Dangers of Malicious QR Codes and Phishing Sites

The primary mechanism of this scam revolves around the QR code embedded in the letter. Upon scanning, it transports users to a phishing webpage that closely replicates the legitimate setup and recovery interfaces of Ledger and Trezor products. The site prompts victims to input their seed recovery phrases under the pretense of verifying account security or complying with mandatory protocols.

As soon as the phrase is submitted, it is immediately forwarded to the attackers through a hidden backend application programming interface, or API. Armed with this data, the criminals can effortlessly import the victim’s wallet onto their own hardware or software, gaining unrestricted access to drain all associated cryptocurrency holdings. This process happens silently and irreversibly, leaving users with no recourse once the theft is complete.

It is crucial for all hardware wallet users to remember a fundamental security principle: legitimate companies like Trezor and Ledger will never request seed phrases or private keys via any channel, whether through websites, emails, phone calls, or physical correspondence. Any such demand is inherently fraudulent.

Crypto Scams Persist Regardless of Market Conditions

In discussions about whether the ongoing bear market in cryptocurrencies might reduce scam activities, Deddy Lavid, CEO of the cybersecurity company Cyvers, provided insightful analysis. He explained to Cointelegraph that historical patterns show crypto-related fraud does not diminish during downturns; instead, it transforms and adapts to new opportunities.

Lavid noted that while speculative hacks tied to high market volatility might decrease when prices fall, scams relying on social engineering and impersonation tend to proliferate. “When speculation drops, opportunistic hacks may slow, but social-engineering and impersonation scams often increase,” he stated. He further elaborated that market slumps heighten user anxiety, making them more prone to hasty decisions driven by fear-inducing messages, such as bogus compliance notifications or urgent wallet warnings.

History of Data Breaches and Repeated Postal Scams

This wave of physical mail phishing is far from an isolated event. Ledger and its affiliated service providers have endured several major data incidents in recent years, compromising customer details like names, email addresses, and crucially, physical mailing addresses. These leaks have enabled scammers to send targeted threats directly to victims’ homes.

Trezor itself disclosed a significant breach in January 2024, where contact information for approximately 66,000 users was exposed, heightening phishing risks for those individuals. Looking back further, in 2021, fraudsters distributed fake Ledger Nano devices to addresses obtained from the 2020 Ledger breach, attempting to dupe users into transferring funds to counterfeit hardware.

More recent precedents include QR code-laden letters mailed in April 2025, urging scans that led to phishing sites. In May of the same year, attackers deployed bogus Ledger Live applications to harvest seed phrases and siphon funds. By October, Ledger officially warned its community on its support page about these physical mail scams, advising vigilance against any unsolicited postal communications requesting sensitive data.

Users are strongly encouraged to stay informed about these evolving threats, verify all communications through official channels, and never share recovery phrases. Protecting one’s seed phrase remains the cornerstone of hardware wallet security in an era of persistent cyber threats.