Users of crypto hardware wallets Ledger and Trezor are once again reporting the receipt of physical phishing letters designed to steal their seed recovery phrases — marking the latest attempt to exploit customer data exposed in multiple leaks over the past six years.
Cybersecurity expert Dmitry Smilyanets was among the first to share details on Feb. 13 after receiving a fraudulent letter purporting to be from Trezor. The letter instructed recipients to complete an “Authentication Check” by Feb. 15 or risk having their device restricted.
According to Smilyanets, the scam letter features a hologram and a QR code directing users to a malicious website. It is falsely presented as being signed by Matěj Žák and refers to him as the “Ledger CEO,” even though the real Matěj Žák serves as CEO of Trezor.
A Ledger user reported receiving a nearly identical letter last October, which claimed recipients were required to complete mandatory “Transaction Check” procedures.
Malicious QR codes push “mandatory” checks
The QR code included in the letter reportedly directs recipients to a fake website designed to closely mimic official Ledger and Trezor setup pages. The goal is to trick users into entering their wallet recovery phrases under the guise of completing a required security check.
Once submitted, the recovery phrase is sent to the attacker through a backend API, enabling them to import the victim’s wallet onto their own device and drain the funds.
Legitimate hardware wallet providers never request recovery phrases through any channel — whether via website, email, phone call, or physical mail.
Crypto scams persist despite market downturns
When asked whether crypto scams tend to decline during market downturns, Deddy Lavid, CEO of cybersecurity firm Cyvers, told Cointelegraph that historically, scams do not disappear in bear markets — they simply adapt.
“When speculation drops, opportunistic hacks may slow,” Lavid explained, “but social-engineering and impersonation scams often increase.”
“In downturns, users are more anxious, more reactive, and more susceptible to fear-based tactics like fake compliance letters or wallet alerts.”
Not the first wave of phishing letters
This is far from the first time crypto hardware wallet users have been targeted through physical mail.
Ledger and several of its third-party service providers have experienced multiple large-scale data breaches in recent years. These incidents exposed customer information — including home addresses — which were later used in phishing campaigns and, in some cases, led to physical threats.
Trezor also reported a security incident in January 2024 that exposed the contact details of nearly 66,000 customers.
In 2021, scammers sent counterfeit Ledger Nano devices to individuals affected by the 2020 Ledger data breach. More recently, in April 2025, phishing letters urging recipients to scan QR codes began circulating. In May, attackers distributed fake Ledger Live applications designed to capture seed phrases and drain victims’ crypto holdings.
Ledger formally warned users about the physical mail phishing campaign on its website in October.
