Users of hardware wallets from Ledger and Trezor are again receiving fraudulent physical letters designed to steal their seed recovery phrases.
Cybersecurity expert Dmitry Smilyanets reported receiving a fake Trezor letter demanding an “Authentication Check” by a set deadline, featuring a hologram and QR code linking to a malicious website.
The letter falsely referenced Matěj Žák as “Ledger CEO,” despite Žák being the chief executive of Trezor, underscoring inconsistencies in the scam’s presentation.
Victims who scan the QR code are redirected to phishing sites that mimic official setup pages, prompting them to enter wallet recovery phrases that are then transmitted to attackers via backend APIs.
Once obtained, the recovery phrase allows threat actors to import the wallet and drain funds, while legitimate hardware wallet providers never request seed phrases through websites, email or physical mail.
The latest campaign follows multiple historic data breaches affecting Ledger and Trezor, including the exposure of customer contact details and physical addresses used in prior postal phishing waves.
Cybersecurity firm Cyvers said crypto scams rarely decline in bear markets, instead adapting to exploit fear and uncertainty, with impersonation tactics and compliance-themed mail attacks becoming more prevalent during downturns.