Threat actors are mailing physical letters impersonating Trezor and Ledger to trick cryptocurrency hardware wallet users into revealing recovery phrases. The letters create urgency by claiming mandatory checks are required to avoid losing wallet access. Victims scanning included QR codes are directed to phishing sites that steal their wallet information.
Cybercriminals have launched a phishing campaign using snail mail to target users of Trezor and Ledger hardware wallets. The letters, printed on fake official letterhead, pretend to come from the companies' security and compliance teams. They warn recipients of upcoming mandatory procedures, such as an "Authentication Check" for Trezor or a "Transaction Check" for Ledger, with deadlines of February 15, 2026, and October 15, 2025, respectively.
One such letter mimicking Trezor, received by cybersecurity expert Dmitry Smilyanets, states: "To avoid any disruption to your Trezor Suite access, please scan the QR code with your mobile device and follow the instructions on our website to enable Authentication Check by February 15th, 2026." It adds that even if users have already enabled the feature on their device, further action is needed for full synchronization.
A similar Ledger letter, shared on X, urges users to complete the check to prevent disruptions. The QR codes link to fraudulent websites, including trezor.authentication-check[.]io and ledger.setuptransactioncheck[.]com. These sites replicate official setup pages and pressure users to enter their 12-, 20-, or 24-word recovery phrases under the guise of verifying device ownership.
Once submitted, the phrases are sent to an attacker-controlled API at trezor.authentication-check[.]io/black/api/send.php, allowing thieves to access and drain victims' wallets. At the time of reporting, the Ledger site was offline, while the Trezor one was flagged by Cloudflare as phishing.
The targeting may stem from past data breaches at both companies, which exposed customer contact details. Trezor and Ledger emphasize that they never request recovery phrases via email, website, or mail. Recovery phrases, which represent private keys, grant full wallet control and should only be entered on the hardware device itself.
This physical phishing tactic is uncommon but echoes earlier incidents, including modified Ledger devices mailed in 2021 and a similar campaign against Ledger users in April.
