Beware of Phishing: New Snail Mail Scams Targeting Trezor and Ledger Users

Threat Actors Exploit Trust with Fake Letters to Steal Recovery Phrases

Beware of Snail Mail Scams Targeting Cryptocurrency Wallet Users

In a troubling new trend, threat actors are resorting to physical letters to deceive cryptocurrency hardware wallet users, impersonating well-known brands Trezor and Ledger. These letters, designed to create a false sense of urgency, aim to trick recipients into revealing their sensitive recovery phrases, potentially leading to significant financial losses.

Phishing Letters Create False Urgency

Cybersecurity experts have reported a surge in phishing letters that mimic official communications from Trezor and Ledger. These letters claim that users must complete a mandatory “Authentication Check” or “Transaction Check” to maintain access to their wallets. The letters are printed on official-looking letterhead, adding to their deceptive nature.

One such letter, received by cybersecurity expert Dmitry Smilyanets, warns users that failing to complete the Authentication Check by February 15, 2026, could result in losing access to their Trezor devices. The letter instructs recipients to scan a QR code to complete the process, leading them to malicious websites.

The Mechanics of the Scam

The letters are crafted to instill panic, suggesting that users may have already received notifications on their devices. They urge immediate action to avoid disruptions, which is a common tactic used by scammers to pressure victims into compliance.

Scanning the QR codes directs users to phishing sites that closely resemble the official Trezor and Ledger setup pages. For instance, one Trezor phishing site warns users that they must complete the authentication process or face limited access to their wallets.

Once on these fraudulent sites, victims are prompted to enter their recovery phrases—critical information that grants full control over their cryptocurrency wallets. This data is then transmitted to the attackers, who can subsequently drain the victims’ wallets.

A Rare but Dangerous Trend

While phishing emails targeting Trezor and Ledger users are not uncommon, physical mail phishing campaigns are relatively rare. Previous incidents include modified Ledger devices sent through the mail in 2021, designed to steal recovery phrases during setup.

Protecting Yourself from Scams

Experts emphasize the importance of never sharing recovery phrases. These phrases are the keys to accessing cryptocurrency wallets, and anyone with access to them can control the associated funds. Both Trezor and Ledger have made it clear that they will never ask users to enter or share their recovery phrases via email, phone, or any website.

To safeguard against these scams, users are advised to enter recovery phrases only directly on their hardware wallets and to remain vigilant against unsolicited communications, whether digital or physical.

As the cryptocurrency landscape continues to evolve, so too do the tactics employed by cybercriminals. Staying informed and cautious is the best defense against these increasingly sophisticated scams.