Users of crypto hardware wallets Ledger and Trezor are again reporting receiving physical letters aimed at stealing their seed recovery phrases — the latest attack on users that has been exposed in numerous data leaks over the past six years.
Cybersecurity expert Dmitry Smilyanets was one of the first to report receiving a spurious letter from Trezor on Feb. 13, which demands users perform an “Authentication Check” by Feb. 15 or risk having their device restricted.
Smilyanets said the scam uses a hologram and a QR code that leads users to a scam website. The letter is made to appear signed by Matěj Žák, who is described as the “Ledger CEO” (the real Matěj Žák is the CEO of Trezor).
A Ledger user reported receiving a similar letter last October, claiming that recipients must complete mandatory “Transaction Check” procedures.
Scanning a malicious QR code for “mandatory” checks
The QR code reportedly leads users to a malicious website designed to look like Ledger and Trezor setup pages, tricking them into entering their wallet recovery phrases.
Once entered, the recovery phrase is transmitted to the threat actor via a backend API, allowing them to import the victim’s wallet to their device and steal funds from it.
Related: Phishing scammers spoof Ledger’s email to send bogus data breach notice
Legitimate hardware wallet companies never ask users to share their recovery phrases through any method, including website, email, or snail mail.
No slowdown in crypto scams in bear market
Asked whether crypto scams could see a decline with a crypto market slump, Deddy Lavid, CEO of cybersecurity firm Cyvers, told Cointelegraph that historically, crypto scams don’t decline in bear markets, “they just evolve/adapt.”
“When speculation drops, opportunistic hacks may slow, but social-engineering and impersonation scams often increase,” he said.
“In downturns, users are more anxious, more reactive, and more susceptible to fear-based tactics like fake compliance letters or wallet alerts.”
Not the first time letters have been sent
Ledger and its third-party partners have suffered multiple large-scale data breaches over the past few years, resulting in leaks of customer data, including physical addresses used for postal purposes, and physical threats.
Meanwhile, Trezor flagged a security breach that exposed the contact information of nearly 66,000 customers in January 2024.
In 2021, scammers mailed counterfeit Ledger Nano hardware wallets to victims of the 2020 Ledger data breach.
Physical letters prompting victims to scan QR codes were sent in April 2025, while in May, hackers used fake Ledger Live apps to steal seed phrases and drain crypto from victims.
Ledger alerted users to the physical mail phishing scam on its website in October.
Magazine: Coinbase misses Q4 earnings, Ethereum eyes ‘V-shaped recovery’: Hodler’s Digest