Crypto hackers are targeting hardware wallet users by mailing fake letters impersonating Trezor and Ledger in a bid to steal wallet recovery phrases and drain funds.
The letters, printed on official-looking letterhead, instruct recipients to complete a mandatory “Authentication Check” or “Transaction Check” by scanning a QR code that directs them to malicious phishing websites.
“To avoid any disruption to your Trezor Suite access, please scan the QR code with your mobile device and follow the instructions on our website,”
The letter stated.
The phishing pages request 24-, 20- or 12-word recovery phrases under the guise of verifying device ownership, with entered data transmitted via backend API endpoints that allow attackers to import wallets and seize full control of assets.
The campaign creates urgency by warning of lost functionality and imposing deadlines, including a February 15, 2026 cut-off for Trezor users, while falsely claiming newer devices come pre-configured.
Both Trezor and Ledger have suffered past data breaches that exposed customer contact information, potentially enabling attackers to identify and target hardware wallet owners through physical mail.
Hardware wallet providers have repeatedly stressed they never ask users to share, upload or enter recovery phrases on websites, warning that anyone with access to a seed phrase gains irreversible control over the associated cryptocurrency funds.