In an unusual and concerning twist on cryptocurrency phishing attacks, cybercriminals have shifted from emails and texts to physical postal mail to target owners of hardware wallets from major manufacturers like Trezor and Ledger.

Traditionally, scams aimed at cryptocurrency users have relied on online channels—phishing emails mimicking wallet services or fake websites that trick people into entering sensitive data. But the latest campaign leverages snail mail letters printed to resemble official communication from Trezor and Ledger, making them far more convincing to unsuspecting recipients.

How the Scam Works

Victims receive a letter that appears to come from the security or compliance teams of their hardware wallet provider. These letters typically:

• Claim that an urgent “Authentication Check” or “Transaction Check” must be completed to retain full wallet functionality.
• Include a QR code that recipients are instructed to scan with their phone.

Once scanned, the QR code directs the user to a fraudulent website designed to look like a legitimate setup or verification page from Trezor or Ledger. Here, users are prompted to enter their wallet recovery phrase—a string of 12, 20, or 24 words that gives full access to a cryptocurrency wallet.

If the victim enters this recovery phrase, the scammers can import the wallet to their own device and drain all funds held within. Recovery phrases are essentially the keys to a crypto wallet; anyone who has them can control the wallet and transfer assets at will.

Why This Scam Is Particularly Dangerous

Phishing attacks are nothing new, but receiving a physical letter adds a layer of perceived legitimacy. Many crypto users are wary of suspicious emails and texts, yet physical mail that appears to be printed on company letterhead can lower a person’s guard.

Security experts believe the attackers might be using customer contact information exposed in past data breaches involving Trezor and Ledger to send these letters. While it’s unclear how recipients are selected, previous breaches have made crypto users’ details more accessible to threat actors.

Protecting Yourself

Hardware wallet companies have long warned users: they will never ask for your recovery phrase—ever. Legitimate support teams don’t request it by mail, email, or phone.

Here’s how to stay safe:

• Ignore unsolicited letters or messages claiming to be from Trezor, Ledger, or other crypto services.
• Never scan QR codes in unexpected mail, especially if tied to account access or security checks.
• Never enter your recovery phrase into a website or app—only input it directly into your wallet device when restoring it.

Final Thoughts

As crypto theft techniques evolve, so must user awareness. This snail mail phishing scheme highlights how attackers continually adapt to find new ways to deceive even seasoned users. The key takeaway for anyone storing funds in hardware wallets: your recovery phrase is sacred—protect it like a master key, and share it with no one.