- Trending
- Comments
- Latest
Fraudsters are mailing counterfeit letters to Ledger and Trezor hardware wallet users, complete with holograms and QR codes that redirect victims to fake wallet setup pages, with one recent letter going so far as to falsely identify Trezor’s CEO as a Ledger executive in a bid to steal cryptocurrency seed phrases.
Cybersecurity experts warn that the Physical mail phishing scam represents a growing adaptation of social engineering tactics as attackers exploit personal data obtained from past breaches.
Recent incidents show that the Physical mail phishing scam relies on official-looking correspondence, holograms and malicious QR codes designed to redirect victims to spoofed wallet setup websites. Once users input their seed recovery phrases, attackers gain full access to their cryptocurrency holdings.
The latest wave of the Physical mail phishing scam was highlighted by cybersecurity expert , who reported receiving a fraudulent letter on February 13 that appeared to originate from . The letter instructed recipients to perform an “Authentication Check” by February 15 or risk having their device restricted.
To enhance credibility, the letter included a hologram and a QR code. However, the QR code reportedly directed users to a malicious website that mimicked legitimate wallet setup pages. The letter was falsely presented as being signed by Matěj Žák and incorrectly described him as the CEO of Ledger. In reality, Žák is the CEO of Trezor.
Similar tactics were reported by users in October of last year. Those letters referenced mandatory “Transaction Check” procedures and similarly redirected recipients to fraudulent websites after scanning embedded QR codes.
In both variations of the Physical mail phishing scam, victims were prompted to enter their wallet recovery phrases. Once submitted, the seed phrases were transmitted to threat actors via backend systems, allowing them to import wallets and drain funds.
Both Ledger and Trezor have consistently warned customers that legitimate providers will never request recovery phrases via email, phone, websites or physical mail. A recovery phrase functions as the master key to a cryptocurrency wallet, granting full control over associated assets.
The resurgence of the Physical mail phishing scam comes against a backdrop of previous data leaks affecting hardware wallet customers. Ledger and third-party partners have experienced multiple breaches in recent years that exposed customer information, including physical addresses. also reported a security breach in January 2024 that exposed contact details of nearly 66,000 customers.
Such data exposures can provide attackers with the personal information necessary to execute targeted mail-based scams. By combining official branding elements with accurate mailing addresses, fraudsters can increase the perceived legitimacy of their communications.
The trend underscores how the Physical mail phishing scam leverages offline channels to bypass traditional digital security awareness measures.
Security concerns extend beyond hardware wallet providers. disclosed a separate data breach caused by a social-engineering attack on one of its employees.
A company spokesperson told that the breach allowed hackers to access “a limited number of files.” The company has begun notifying affected individuals and is offering free credit-monitoring services to those receiving official notifications.
The hacking collective claimed responsibility for the incident, alleging that Figure declined to pay a ransom demand. The group stated it subsequently published approximately 2.5 gigabytes of data on its dark-web leak site. TechCrunch reported reviewing samples of the leaked material, which included customers’ full names, residential addresses, dates of birth and phone numbers.
Such personal data can be used in identity theft schemes and targeted phishing campaigns, including tactics similar to the Physical mail phishing scam affecting hardware wallet users.
Despite these incidents, overall crypto phishing losses declined in 2025, according to data from . Reported losses linked to wallet drainers fell to $83.85 million, representing an 83% drop from nearly $494 million in 2024. The number of victims also decreased by approximately 68% year over year to around 106,000 across Ethereum Virtual Machine chains.
However, researchers caution that reduced losses do not signal the end of phishing threats. Instead, phishing activity often tracks broader market cycles. Periods of increased trading activity tend to coincide with spikes in phishing-related losses, while quieter markets see temporary declines.
Deddy Lavid, CEO of cybersecurity firm Cyvers, noted that crypto scams historically adapt rather than disappear during downturns. He explained that while speculative hacks may slow when markets cool, social engineering and impersonation schemes frequently increase, particularly when users are more anxious.
The persistence of the Physical mail phishing scam illustrates this adaptability. As digital awareness improves, attackers are turning to physical correspondence to exploit trust and urgency.
Security experts continue to stress that no legitimate wallet provider will ever request a recovery phrase. Users are advised to verify communications through official channels and treat unsolicited letters with skepticism, particularly those urging immediate action.
