Physical letters impersonating Trezor and Ledger are tricking users into revealing recovery phrases through QR codes leading to phishing sites, marking a shift from digital to postal phishing attacks.
Threat actors are now mailing physical letters to cryptocurrency hardware wallet users, impersonating official communications from Trezor and Ledger to steal recovery phrases and drain crypto funds.
Physical Phishing Letters Target Wallet Users
Cybersecurity researchers have identified a new phishing campaign where threat actors send physical letters through postal mail to Trezor and Ledger hardware wallet users. These letters claim recipients must complete mandatory "Authentication Check" or "Transaction Check" processes by specific deadlines or risk losing access to their wallet functionality.
The letters create urgency by warning users that failure to comply will result in disrupted access, transaction errors, or blocked functionality. Recipients are instructed to scan QR codes printed on the letters, which redirect them to sophisticated phishing websites designed to steal their cryptocurrency recovery phrases.
How the Attack Works
When victims scan the QR codes, they're directed to phishing sites that closely mimic official Trezor and Ledger setup pages. The Trezor phishing site at trezor.authentication-check[.]io displays warnings about mandatory authentication checks and creates false urgency around a February 15, 2026 deadline.
Physical phishing letter sent to Trezor users Source: Smilyanets
The phishing sites use multiple pages to build trust and pressure victims into compliance:
- Landing page - Warns about mandatory authentication requirements
- Setup page - Threatens limited access or blocked functionality if not completed
- Recovery phrase page - Requests the victim's 12, 20, or 24-word recovery phrase
Once victims enter their recovery phrase, the information is transmitted to threat actors through backend API endpoints, allowing them to import the wallet onto their own devices and steal all associated cryptocurrency funds.
Targeting Criteria and Data Breach Connection
The specific targeting criteria for these physical mail campaigns remains unclear, but both Trezor and Ledger have experienced data breaches in recent years that exposed customer contact information. This suggests attackers may be using stolen customer databases to identify and target legitimate hardware wallet owners.
Why Recovery Phrases Are Critical
Hardware wallet recovery phrases, also known as seed phrases, are the master keys to cryptocurrency wallets. These phrases represent the private keys that control access to all funds stored in the wallet. Anyone who obtains a recovery phrase gains complete control over the associated cryptocurrency, regardless of physical possession of the hardware wallet.
Legitimate hardware wallet manufacturers like Trezor and Ledger will never request users to:
- Enter recovery phrases on websites
- Scan QR codes to verify recovery phrases
- Upload or share recovery phrases digitally
- Complete authentication checks via third-party sites
Recovery phrases should only be entered directly on the hardware wallet device itself during initial setup or wallet restoration.
Historical Context and Similar Attacks
While phishing emails targeting hardware wallet users are common, physical mail phishing campaigns represent a notable shift in tactics. In 2021, threat actors mailed modified Ledger devices designed to steal recovery phrases during setup. A similar postal phishing campaign targeting Ledger users was reported in April of the previous year.
These physical attacks demonstrate how threat actors continue to evolve their methods, moving from purely digital attacks to hybrid approaches that combine traditional mail with sophisticated online phishing infrastructure.
Protection and Prevention
Hardware wallet users should be aware of these physical phishing tactics and follow these security practices:
- Never enter recovery phrases on websites or through QR code scans
- Verify all communications directly through official manufacturer channels
- Be skeptical of urgent deadlines or threats about losing wallet access
- Contact hardware wallet support directly if receiving suspicious physical mail
- Keep recovery phrases stored securely and never share them with anyone
The shift to physical mail phishing highlights the ongoing evolution of cryptocurrency theft tactics and the need for heightened vigilance among hardware wallet users.
Comments
Please log in or register to join the discussion