A new scam targeting cryptocurrency hardware wallet users has emerged.
Scammers are sending physical letters that appear to be from Trezor and Ledger, directing users to fake websites and aiming to obtain their seed phrases.
The letters sent as part of the campaign are designed to mimic official company letterhead. They state that users must complete a mandatory process called “Identity Verification” or “Transaction Verification” to avoid losing access to their wallets.
Scammers are giving specific deadlines to pressure users into hurrying and asking them to scan the QR code in the letter. These QR codes, in turn, redirect users to phishing sites that mimic the official Trezor and Ledger installation pages.
A fake Trezor email sent to cybersecurity expert Dmitry Smilyanets claimed that device functionality could be restricted if authentication verification wasn’t completed by February 15, 2026. Similarly, a Ledger-themed email shared on social media platform X asserted that a “Transaction Verification” process needed to be completed by October 15, 2025.
While the fake Ledger domain name linked via QR codes has been taken down, it was reported that the Trezor-themed site remained active for a while before being flagged as a phishing site.
The fake Trezor page asks users to enter a 12, 20, or 24-word recovery phrase. The site claims this information is necessary to verify device ownership and activate the feature. However, the entered data is transmitted directly to the attackers via an API in the background.
This information allows attackers to transfer the victim’s wallet to their own devices and steal the crypto assets inside.
It’s unclear what criteria were used to send the letters. However, both Trezor and Ledger have experienced data breaches in recent years that exposed customer contact information. This strengthens the possibility that physical addresses may have fallen into the wrong hands.
Phishing attacks via physical mail are rare, but not entirely new. In 2021, attackers mailed modified Ledger devices designed to steal recovery emotes during setup. A similar campaign targeting Ledger users was also reported in April.
Seed phrases used in hardware wallets can be defined as the text equivalent of private keys and provide full access to the assets in the wallet. Anyone who possesses this phrase can control all the funds in the wallet.
Manufacturers like Trezor and Ledger never ask users to enter recovery phrases into a website, scan a QR code, or share them online. Recovery phrases should only be entered on the hardware device itself, in an environment not connected to the internet.
*This is not investment advice.
