Scammers use fake postal letters and QR codes to trick Trezor and Ledger users into revealing wallet seed phrases.
Crypto phishing attacks are no longer limited to emails and fake ads. Criminals are now sending physical letters to hardware wallet users. Mail looks official and urges quick action, aiming to trick people into giving away their recovery phrases and steal their funds.
Trezor and Ledger Users Warned Over QR Code Phishing Letters
Threat actors are sending letters to users impersonating Trezor and Ledger, two major hardware wallet manufacturers. Letters claim users must complete a required “Authentication Check” or “Transaction Check.” They warn that failing to do so could cause wallet access problems. Each letter includes a QR code that leads recipients to phishing websites.
Reports show that letters look official and use the company’s logos and branding. Meanwhile, both companies suffered past data breaches that exposed customer contact details. Stolen mailing information may have enabled campaign reach.
Cybersecurity expert Dmitry Smilyanets shared one of these fake letters in an X post. In that case, scammers impersonated Trezor and told users to complete an authentication check by February 15, 2026. Non-compliance supposedly meant disrupted access to Trezor Suite.
Moreover, the letter told users to scan a QR code with their phone and follow instructions on a website. It added pressure by saying action was required, even if the feature was already activated. The scammers’ aim was to make people act quickly without thinking.
A similar letter was targeted at Ledger users. It claimed a mandatory “Transaction Check” was coming soon. With the deadline set for October 15, 2025, the message warned that ignoring it could cause transaction problems.
Scanning QR codes led to fake websites that looked like official Trezor or Ledger pages. The ledger-related site later went offline, while the fake Trezor site stayed online but was identified as phishing by Cloudflare.
The fake Trezor page displayed a warning banner, urging users to complete authentication by February 15, 2026. An exception for certain newer Trezor Safe models purchased after November 30, 2025, was added on the page. The claim suggested those devices were preconfigured.
Further, the final page asked users to enter their wallet recovery phrase. The form allowed 12, 20, or 24 words. To confirm ownership, the site required a phrase to activate authentication. In reality, entering it would give scammers full access to the wallet.
Seed Phrase Safety in Focus as Offline Crypto Scams Rise
Physical phishing remains less common than email scams. However, postal campaigns have appeared before. In 2021, criminals mailed modified Ledger devices designed to capture recovery phrases during setup. Another wave of postal phishing targeting Ledger users surfaced in April.
Hardware wallet providers repeatedly warn customers never to share recovery phrases. No legitimate update or security check requires entering a seed phrase online. Companies do not request such data by mail, email, or phone.
Meanwhile, the growing sophistication of scams signals ongoing risk for crypto holders. Offline tactics may appear more credible to some users as printed letters can feel official and urgent.
As such, users should verify any security notices directly through official websites. Typing known web addresses manually is safer than scanning unknown QR codes. Suspicious letters should be reported to wallet providers and cybersecurity authorities immediately.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Resolv Hack Mints $80M Fake USR, Triggers Market Chaos
A security breach at Resolv Labs allowed attackers to mint 80 million uncollateralized USR stablecoins, causing a price collapse and market instability. Resolv paused contracts, burned illicit tokens, and confirmed $141 million in secure collateral.
CryptoFrontNews19m ago
Hacked for $110 Million as the Final Straw! DeFi Protocol Balancer's Development Company to Cease Operations
Trading Protocol Balancer Faces Major Turning Point, Founder Announces Balancer Labs Will Cease Operations, Protocol to Continue in Streamlined Form. This decision stems from security vulnerabilities and legal risks, with the current operational model becoming unsustainable. Despite significant TVL decline, Balancer still generates over $1 million in annualized fee revenue. The team has proposed an aggressive restructuring plan that includes token buybacks, revenue structure reforms, and focuses on five core product lines. Following the transformation, the team will concentrate on enhancing the protocol's competitiveness.
区块客2h ago
Venus Flash Loan Attacker Transferred 1743 ETH to New Address 50 Minutes Ago
According to analyst monitoring, the flash loan attacker on the Venus platform transferred 1743 ETH, with the address holdings reaching 7450 ETH, and funds being used for Aave yield farming. Venus has experienced multiple security incidents since 2021, with losses exceeding $270 million.
GateNews2h ago
Stablecoin USR Suddenly Crashes and Depegs! Resolv Reveals "Minting Vulnerability" Exploited by Hackers, Who Steal $25 Million
DeFi protocol Resolv suffered an attack on March 22, where hackers minted 80 million stablecoins USR at low cost and cashed out approximately $25 million, causing USR to depeg and triggering market volatility. The attack stemmed from a lack of security measures on the protocol's privileged accounts, impacting overall liquidity and affecting the lending market. Resolv subsequently suspended the protocol and emphasized that collateral pools remained unaffected, but experts believe the hidden losses caused by the incident are significant.
区块客4h ago
Husband accuses wife of stealing over 2,000 bitcoins! Judge: The plaintiff has a very high chance of winning.
The UK High Court is hearing a Bitcoin theft case in which the plaintiff alleges his estranged wife secretly stole 2,323 Bitcoin in 2023. In the case, the plaintiff used audio evidence to prove that the defendant and her sister planned to transfer the Bitcoin. The judge found a high probability of the plaintiff prevailing and ordered asset freezing while dismissing some claims, recommending expedited trial proceedings.
区块客5h ago
7 Associated Accounts Precisely Bet on US-Israel Military Actions, Earning Approximately $1 Million in Profits Over Two Years
Investigation found that 7 associated accounts on a certain prediction market platform made precise bets against U.S. airstrikes over the past two years, accumulating profits of approximately $1 million, allegedly involving insider trading.
GateNews5h ago
