Scammers Mail Fake Ledger and Trezor Letters to Steal Seed Phrases

Scammers use fake postal letters and QR codes to trick Trezor and Ledger users into revealing wallet seed phrases.

Crypto phishing attacks are no longer limited to emails and fake ads. Criminals are now sending physical letters to hardware wallet users. Mail looks official and urges quick action, aiming to trick people into giving away their recovery phrases and steal their funds.

Trezor and Ledger Users Warned Over QR Code Phishing Letters

Threat actors are sending letters to users impersonating Trezor and Ledger, two major hardware wallet manufacturers. Letters claim users must complete a required “Authentication Check” or “Transaction Check.” They warn that failing to do so could cause wallet access problems. Each letter includes a QR code that leads recipients to phishing websites.

Reports show that letters look official and use the company’s logos and branding. Meanwhile, both companies suffered past data breaches that exposed customer contact details. Stolen mailing information may have enabled campaign reach.

Cybersecurity expert Dmitry Smilyanets shared one of these fake letters in an X post. In that case, scammers impersonated Trezor and told users to complete an authentication check by February 15, 2026. Non-compliance supposedly meant disrupted access to Trezor Suite.

Moreover, the letter told users to scan a QR code with their phone and follow instructions on a website. It added pressure by saying action was required, even if the feature was already activated. The scammers’ aim was to make people act quickly without thinking.

A similar letter was targeted at Ledger users. It claimed a mandatory “Transaction Check” was coming soon. With the deadline set for October 15, 2025, the message warned that ignoring it could cause transaction problems.

Scanning QR codes led to fake websites that looked like official Trezor or Ledger pages. The ledger-related site later went offline, while the fake Trezor site stayed online but was identified as phishing by Cloudflare.

The fake Trezor page displayed a warning banner, urging users to complete authentication by February 15, 2026. An exception for certain newer Trezor Safe models purchased after November 30, 2025, was added on the page. The claim suggested those devices were preconfigured.

Further, the final page asked users to enter their wallet recovery phrase. The form allowed 12, 20, or 24 words. To confirm ownership, the site required a phrase to activate authentication. In reality, entering it would give scammers full access to the wallet.

Seed Phrase Safety in Focus as Offline Crypto Scams Rise

Physical phishing remains less common than email scams. However, postal campaigns have appeared before. In 2021, criminals mailed modified Ledger devices designed to capture recovery phrases during setup. Another wave of postal phishing targeting Ledger users surfaced in April.

Hardware wallet providers repeatedly warn customers never to share recovery phrases. No legitimate update or security check requires entering a seed phrase online. Companies do not request such data by mail, email, or phone.

Meanwhile, the growing sophistication of scams signals ongoing risk for crypto holders. Offline tactics may appear more credible to some users as printed letters can feel official and urgent.

As such, users should verify any security notices directly through official websites. Typing known web addresses manually is safer than scanning unknown QR codes. Suspicious letters should be reported to wallet providers and cybersecurity authorities immediately.