As the digital world continues to evolve, so do the tactics of cybercriminals. Users of popular crypto hardware wallets, Trezor and Ledger, are once again facing a wave of physical mail scams designed to steal their wallet recovery phrases. The latest incident, reported by cybersecurity expert Dmitry Smilyanets, involves a spurious letter from Trezor that demands users perform an ‘Authentication Check’ by a specific date or risk having their device restricted.
Smilyanets, who received the letter on February 13, noted that the scam includes a hologram and a QR code that directs victims to a malicious website. The letter is signed by a fake ‘Matěj Žák,’ purportedly the CEO of Ledger (in reality, Žák is the CEO of Trezor). This sophisticated approach underscores the lengths to which scammers will go to deceive unsuspecting users.
Deconstructing the Scam
The QR code in the letter leads to a fraudulent website that mimics the official setup pages of Trezor and Ledger. Once a user scans the code and enters their wallet recovery phrase, the information is transmitted to the threat actor via a backend API. With the recovery phrase in hand, the attacker can import the victim’s wallet onto their own device and drain the funds.
Legitimate hardware wallet companies, such as Trezor and Ledger, never request users to share their recovery phrases through any method, whether it be a website, email, or physical mail. This is a crucial point that users must remember to protect themselves from such scams.
A History of Data Breaches
This latest attack is not the first of its kind. Both Ledger and Trezor have suffered multiple large-scale data breaches over the past few years, exposing customer data, including physical addresses. In January 2024, Trezor disclosed a security breach that compromised the contact information of nearly 66,000 customers.
In 2021, scammers mailed counterfeit Ledger Nano hardware wallets to victims of the 2020 Ledger data breach. More recently, in April 2025, hackers sent physical letters prompting victims to scan malicious QR codes. In May, fake Ledger Live apps were used to steal seed phrases and drain crypto from victims.
Staying Vigilant
Given the frequency and sophistication of these attacks, it is imperative for users to remain vigilant. Ledger has already alerted users to the physical mail phishing scam on its website, emphasizing the importance of verifying the authenticity of any communication received.
Cybersecurity experts recommend that users:
- Verify the sender’s identity and the legitimacy of any communication received.
- Avoid clicking on links or scanning QR codes from unknown sources.
- Regularly update their hardware wallets and software to the latest versions.
- Use additional security measures, such as two-factor authentication, whenever possible.
Looking Forward
As the crypto industry continues to grow, so too will the efforts of cybercriminals to exploit vulnerabilities. While hardware wallet companies are taking steps to enhance security, the onus is also on users to stay informed and proactive. By following best practices and remaining skeptical of unsolicited communications, users can significantly reduce their risk of falling victim to these sophisticated scams.
About the Author
