Fake Ledger and Trezor Letters Try to Trick Users Into Handing Over Seed Phrases
Physical mail scams that masquerade as official communications from hardware‑wallet manufacturers are on the rise, prompting renewed warnings from the companies and the broader security community.
What happened
In mid‑February, cybersecurity researcher Dmitry Smilyanets disclosed receiving a suspicious envelope that appeared to come from the Trezor team. The letter, dated February 13, demanded that the recipient complete an “Authentication Check” before a two‑day deadline, or allegedly face restrictions on the device.
The package contained a holographic seal and a QR code. Scanning the code redirected the user to a counterfeit web page designed to look like a legitimate Trezor setup portal, where the attacker asked for the wallet’s recovery seed. The letter was forged to bear the signature of “Matěj Žák, Ledger CEO” – a deliberate mix‑up, since the real Matěj Žák actually leads Trezor.
A similar scheme targeted Ledger owners last October. That mail asked recipients to perform a compulsory “Transaction Check”, also linking to a fake site that captured seed phrases. In both cases the attackers relied on the victim’s trust in physical correspondence and the perceived authority of the companies.
How the scam works
- Harvested contact data – Previous data breaches at Ledger and Trezor have exposed physical addresses and other personal details of thousands of customers. Hackers use these datasets to compile mailing lists.
- Official‑looking envelope – The letters include company logos, a hologram sticker and a formal tone that mimics genuine security notifications.
- QR code to a spoofed page – The code points to a site that mirrors the look of the official device‑setup or account‑recovery pages of Ledger and Trezor.
- Seed‑phrase harvest – Victims who follow the instructions and paste their 12‑ or 24‑word recovery phrase into the fake form have that information transmitted to the attacker’s backend. The phrase can then be imported into a rogue hardware wallet, giving the criminal full control of the funds.
Both hardware‑wallet manufacturers stress that they never request seed phrases via mail, email, phone or any other unsolicited channel. The only legitimate way to recover a wallet is by entering the seed locally on the device itself.
Historical context
Physical‑mail phishing is not a new threat for the crypto‑hardware‑wallet sector. Ledger has suffered several large‑scale data incidents over the past few years, with leaks that revealed customers’ mailing addresses and other identifying information. In 2021, scammers even mailed counterfeit Ledger Nano devices to victims of a 2020 breach.
Trezor disclosed a breach in January 2024 that exposed contact details of roughly 66 000 users. Since then, the company has warned about phishing attempts that use the compromised data to lure customers.
Earlier in 2025, similar letters were sent out to prompt users to scan QR codes, and later that year hackers distributed fake “Ledger Live” mobile applications that harvested seed phrases. Ledger’s support portal now hosts an explicit alert about these mail‑based scams, advising users to shred any unsolicited hardware‑wallet correspondence.
Expert insight
“The combination of a physical letter, a hologram and a QR code makes the attack very credible. Users are conditioned to trust paper communication from a brand they consider secure,” says Dmitry Smilyanets, who first reported the Trezor‑style scam. “The real danger is that the seed phrase is entered on a remote server, effectively handing the private keys to the attacker.”
Security analyst Maya Klein of CryptoSecure Labs adds that the surge in mail‑phishing reflects a broader trend: “As email‑based phishing becomes more noisy and users are better educated, threat actors are reverting to offline vectors where users feel less suspicious.”
What users should do
| Action | Reason |
|---|---|
| Never share your recovery phrase in any communication that is not a direct input on your hardware device. | The seed phrase is the sole key to your funds. |
| Ignore deadlines that come from unsolicited letters demanding immediate action. | Legitimate security updates are communicated through official channels, not via pressure tactics. |
| Verify the source by checking the sender’s address on the official website or contacting support directly. | Scammers often spoof logos and signatures; a quick verification can stop the attack. |
| Destroy and discard any suspicious mail, especially if it includes QR codes or URLs. | Scanning the code or visiting the link is the trigger for credential theft. |
| Report the incident to the wallet manufacturer and, where applicable, to local cyber‑crime authorities. | Sharing details helps companies improve their defenses and alerts the community. |
Key takeaways
- Data breaches provide the raw material for physical‑mail scams; continued protection of customer information is critical.
- Scammers are leveraging hybrid tactics—combining tangible items (holograms, stamped envelopes) with digital lures (QR codes) to increase credibility.
- Hardware‑wallet users must treat seed phrases as “never‑share” credentials; any request to provide them outside the device is a red flag.
- Vigilance and rapid verification remain the most effective defenses against these increasingly sophisticated phishing campaigns.
Both Ledger and Trezor have updated their support pages with warnings and educational material. Users are urged to review those resources and stay alert to any unexpected physical communications that claim to be from their wallet provider.
The crypto‑security landscape continues to evolve, and the responsibility to safeguard private keys rests primarily with the individual holder. Prompt detection and reporting of scams are essential to protect the broader ecosystem.
Source: https://cointelegraph.com/news/scammers-send-physical-letters-trezor-ledger-users-again?utm_source=rss_feed&utm_medium=feed&utm_campaign=rss_partner_inbound
