Hardware Wallet Owners Targeted Again With Physical Mail Phishing Schemes
Fraudsters have returned to using traditional postal mail to exploit individuals affected by hardware wallet provider database compromises that occurred several years back.
Owners of cryptocurrency hardware storage devices from Trezor and Ledger have started reporting new waves of physical mail correspondence designed to trick them into revealing their seed recovery phrases — marking the most recent assault targeting individuals whose information was compromised through multiple data security incidents spanning the last six years.
Cybersecurity professional Dmitry Smilyanets emerged as among the earliest to document receiving a fraudulent correspondence purportedly from Trezor on Feb. 13, instructing recipients to complete an "Authentication Check" before Feb. 15 or face potential device access limitations.
According to Smilyanets, the fraudulent correspondence features a hologram alongside a QR code directing recipients to a fraudulent online platform. The correspondence appears to bear the signature of Matěj Žák, identified as the "Ledger CEO" (when in reality, Matěj Žák serves as Trezor's chief executive officer).
An owner of a Ledger device documented receiving comparable correspondence in October of the previous year, with that particular letter asserting that recipients needed to fulfill required "Transaction Check" processes.
Scanning a malicious QR code for "mandatory" checks
According to reports, the QR code directs the targeted individual to a harmful online platform designed to mimic authentic Ledger and Trezor initialization pages, deceiving recipients into providing their wallet recovery phrases.
After being provided, the recovery phrase gets sent to the malicious actor via a backend API, allowing them to load the targeted individual's wallet into their personal device and extract cryptocurrency assets from it.
Authentic hardware wallet manufacturers never request that customers provide their recovery phrases using any communication channel, whether through online platforms, electronic mail, or traditional postal services.
Not the first time letters have been sent
Ledger along with its external service providers have experienced numerous significant data security compromises throughout recent years, leading to unauthorized disclosures of client information, including home addresses utilized for mailing purposes, and actual physical intimidation.
In the meantime, Trezor acknowledged a data security incident that compromised the contact details of approximately 66,000 clients in January 2024.
During 2021, fraudsters distributed counterfeit Ledger Nano hardware storage devices through postal mail to individuals impacted by the 2020 Ledger information breach.
Physical correspondence urging targets to scan QR codes were distributed in April 2025, whereas in May, cybercriminals employed counterfeit Ledger Live applications to capture seed phrases and empty cryptocurrency holdings from targeted individuals.
Ledger notified customers about the physical postal mail phishing operation on its online platform in October.