By Fake Trezor, Ledger letters target crypto wallet recovery phrases
Crypto hackers are sending physical letters impersonating Trezor and Ledger to steal cryptocurrency wallet recovery phrases.
Summary
- Hackers mail fake Trezor and Ledger letters with phishing QR codes.
- Sites request recovery phrases and grant attackers full wallet control.
- Hardware wallet firms never ask users to share seed phrases.
The phishing campaign claims recipients must complete mandatory “Authentication Check” or “Transaction Check” procedures.
The hackers are also creating urgency through deadlines of February 15, 2026 for Trezor. Letters printed on official-looking letterhead direct users to scan QR codes leading to malicious websites.
The phishing sites request 24-, 20-, or 12-word recovery phrases under the pretense of verifying device ownership.
Once entered, recovery phrases transmit to threat actors through backend API endpoints, granting attackers full control over victims’ wallets and funds.
Both hardware wallet companies suffered data breaches in recent years that exposed customer contact information.
Phishing sites create urgency through functionality warnings
Cybersecurity expert Dmitry Smilyanets received a fake Trezor letter warning that failure to complete authentication would result in lost device functionality.
“To avoid any disruption to your Trezor Suite access, please scan the QR code with your mobile device and follow the instructions on our website,” the letter stated.
The Trezor phishing site displays warnings about limited access, transaction signing errors, and disruption with future updates.
A similar Ledger-themed letter circulated on X, claiming Transaction Check would become mandatory.
The phishing pages allow users to enter recovery phrases in multiple formats, falsely claiming the information verifies device ownership and enables authentication features.
Once victims enter recovery phrases, data transmits to the phishing site. Attackers import the wallet onto their own devices and drain funds.
The letters create false urgency by claiming devices purchased after November 30, 2025 come pre-configured, pressuring earlier buyers to act.
Crypto hardware wallet companies never request recovery phrases
Physical mail phishing campaigns targeting hardware wallet users remain relatively rare. Crypto hackers mailed modified Ledger devices in 2021 designed to steal recovery phrases during setup. A similar postal campaign targeting Ledger users was reported in April.
Anyone possessing a wallet’s recovery phrase gains full control over the wallet and all funds. Trezor and Ledger never ask users to enter, scan, upload, or share recovery phrases through any channel.
Recovery phrases should only be entered directly on hardware wallet devices when restoring wallets, never on computers, mobile devices, or websites.
The targeting criteria for the physical letters remains unclear. However, both companies’ past data breaches exposed customer mailing addresses and contact information to potential attackers.
