Users of hardware wallets from Ledger and Trezor are once again being targeted by sophisticated phishing scams sent through physical mail.
The letters attempt to trick recipients into revealing their seed recovery phrases, the private keys that control access to their crypto funds. The attacks follow years of data leaks that exposed customer names and addresses.
Cybersecurity expert Dmitry Smilyanets reported receiving a fake Trezor letter urging an urgent “Authentication Check,” complete with a hologram and QR code linking to a fraudulent website.
How is the attack carried out?
The letter was falsely signed as “Ledger CEO Matěj Žák”, who is Trezor’s CEO. A similar scam targeted Ledger users last year with bogus “Transaction Check” notices.
The QR code in the fraudulent letters reportedly directs users to a fake website that closely mimics the official setup pages of Ledger or Trezor.
The goal is to trick victims into entering their wallet recovery, or seed, phrase under the pretense of completing a security check.
Once a user types in the phrase, the information is silently transmitted to the attacker through a backend system. With that recovery phrase, the scammer can recreate the victim’s wallet on their own device and quickly drain the funds.
Hardware wallet providers repeatedly stress that legitimate companies will never ask for a recovery phrase, not via website, email, phone call, or physical mail.
Data breaches become recurrent event in crypto space
Ledger and some of its third-party service providers have faced several major data breaches in recent years, exposing sensitive customer information such as names, email addresses and even physical mailing addresses.
Not only did those leaks lead to phishing attempts, but they also sometimes led to real threats against users.
Trezor also revealed a breach in January 2024 that put the contact information of almost 66,000 customers at risk.
The fallout has been ongoing. In 2021, scammers mailed fake Ledger Nano devices to victims of the earlier 2020 breach. In April 2025, fraudulent letters urged users to scan malicious QR codes, and in May, attackers distributed fake Ledger Live apps to steal seed phrases and drain funds. Ledger formally warned customers about the mail-based phishing campaign in October.