Scammers use fake postal letters and QR codes to trick Trezor and Ledger users into revealing wallet seed phrases.
Crypto phishing attacks are no longer limited to emails and fake ads. Criminals are now sending physical letters to hardware wallet users. Mail looks official and urges quick action, aiming to trick people into giving away their recovery phrases and steal their funds.
Trezor and Ledger Users Warned Over QR Code Phishing Letters
Threat actors are sending letters to users impersonating Trezor and Ledger, two major hardware wallet manufacturers. Letters claim users must complete a required “Authentication Check” or “Transaction Check.” They warn that failing to do so could cause wallet access problems. Each letter includes a QR code that leads recipients to phishing websites.
Reports show that letters look official and use the company’s logos and branding. Meanwhile, both companies suffered past data breaches that exposed customer contact details. Stolen mailing information may have enabled campaign reach.
Cybersecurity expert Dmitry Smilyanets shared one of these fake letters in an X post. In that case, scammers impersonated Trezor and told users to complete an authentication check by February 15, 2026. Non-compliance supposedly meant disrupted access to Trezor Suite.
Moreover, the letter told users to scan a QR code with their phone and follow instructions on a website. It added pressure by saying action was required, even if the feature was already activated. The scammers’ aim was to make people act quickly without thinking.
A similar letter was targeted at Ledger users. It claimed a mandatory “Transaction Check” was coming soon. With the deadline set for October 15, 2025, the message warned that ignoring it could cause transaction problems.
Scanning QR codes led to fake websites that looked like official Trezor or Ledger pages. The ledger-related site later went offline, while the fake Trezor site stayed online but was identified as phishing by Cloudflare.
The fake Trezor page displayed a warning banner, urging users to complete authentication by February 15, 2026. An exception for certain newer Trezor Safe models purchased after November 30, 2025, was added on the page. The claim suggested those devices were preconfigured.
Further, the final page asked users to enter their wallet recovery phrase. The form allowed 12, 20, or 24 words. To confirm ownership, the site required a phrase to activate authentication. In reality, entering it would give scammers full access to the wallet.
Seed Phrase Safety in Focus as Offline Crypto Scams Rise
Physical phishing remains less common than email scams. However, postal campaigns have appeared before. In 2021, criminals mailed modified Ledger devices designed to capture recovery phrases during setup. Another wave of postal phishing targeting Ledger users surfaced in April.
Hardware wallet providers repeatedly warn customers never to share recovery phrases. No legitimate update or security check requires entering a seed phrase online. Companies do not request such data by mail, email, or phone.
Meanwhile, the growing sophistication of scams signals ongoing risk for crypto holders. Offline tactics may appear more credible to some users as printed letters can feel official and urgent.
As such, users should verify any security notices directly through official websites. Typing known web addresses manually is safer than scanning unknown QR codes. Suspicious letters should be reported to wallet providers and cybersecurity authorities immediately.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Phantom Wallet Crashes Big Time! During the Airdrop Period, Token Prices Get Thrown Off, Balances Go to Zero—Users Blast the “Losses”
Phantom, a wallet in the Solana ecosystem, experienced a service outage during the airdrop, causing abnormal token price and account balance displays and affecting users’ transactions. Some users therefore incurred losses and are demanding compensation. Security experts warn of the risk of phishing attacks and advise users to verify on-chain data. Although the issue has been fixed, the trust crisis still needs to be monitored. This incident highlights the challenges self-custody wallets face in terms of system stability and user experience.
区块客33m ago
Circle Responds to the Drift Protocol Hack: USDC Freezing Must Be Executed Legally, Urges Faster Crypto Legislation
Circle’s Chief Strategy Officer Dante Disparte responded to the Drift Protocol theft incident, emphasizing that freezing USDC is being carried out according to law, calling for stronger coordination between law and technology, and suggesting that DeFi protocols should draw on protection mechanisms from traditional markets to advance legal protection of property rights and financial privacy.
GateNews1h ago
Aethir prevents cross-chain bridge exploit attacks, losses controlled at $90k, and commits to compensate
Decentralized GPU cloud computing platform Aethir confirmed that its Ethereum bridge contract was attacked, with losses kept within $90k. The team promptly disconnected the contract and worked with exchanges to deal with the hacker wallets. The attacker used a cross-chain smart contract to move funds. Aethir plans to announce a compensation plan next week, and revenue is expected to reach $127.8 million in 2025.
GateNews2h ago
Bitcoin Depot Discloses $3.6M BTC Theft After Hack on Settlement Accounts
Bitcoin Depot reported a security breach where hackers stole 50.9 BTC, worth approximately $3.6 million, by compromising internal settlement account credentials. This incident highlights vulnerabilities in crypto companies' operational infrastructure, emphasizing the need for enhanced security measures.
CryptoNewsFlash5h ago
Aethir Successfully Thwarts an ATH Token Cross-Chain Bridge Attack, with User Losses Below $90k
Aethir issued a security advisory on April 10, confirming that it successfully blocked a malicious attack on the ATH token cross-chain bridge contract, with losses under $90k. All affected contracts have been disconnected, and the core circulating supply remains intact. Aethir will work with trading platforms and law enforcement agencies to support the freezing of funds and the identification and tracking of the attacker, and it will publish investigation updates and a compensation plan in its Discord community.
GateNews6h ago
Claude code leak sparks an LLM crisis, hackers have stolen researchers’ ETH
Security research reveals that in the LLM agent ecosystem, over 20% of free API routers actively inject malicious code, leading to asset theft and credential crises. In addition, the Claude code-leak incident has enabled attackers to spread malware by exploiting developers’ curiosity. The research team proposes a three-layer defense mechanism to address supply-chain security risks.
MarketWhisper6h ago
