Users of crypto hardware wallets Ledger and Trezor are again reporting receiving physical letters aimed at stealing their seed recovery phrases — the latest attack on users exposed across numerous data leaks over the past six years.

Cybersecurity expert Dmitry Smilyanets was one of the first to report receiving a spurious letter from Trezor on Feb. 13, which demands users perform an “Authentication Check” by Feb. 15 or risk having their device restricted.

Smilyanets said the scam includes a hologram along with a QR code that takes users to a scam website. The letter is made to appear signed by Matěj Žák, who is described as the “Ledger CEO” (the real Matěj Žák is the CEO of Trezor).

A Ledger user reported receiving a similar letter last year in October, with the letter claiming recipients must complete mandatory “Transaction Check” procedures.

Fake letter sent to Trezor customers. Source: Dmitry Smilyanets

Scanning a malicious QR code for “mandatory” checks

The QR code reportedly takes the victim to a malicious website made to look like Ledger and Trezor setup pages, tricking users into entering their wallet recovery phrases.

Once entered, the recovery phrase is transmitted to the threat actor through a backend API, enabling them to import the victim’s wallet onto their own device and steal funds from it.

Legitimate hardware wallet companies never ask users to share their recovery phrases through any method, including website, email, or snail mail.

Not the first time letters have been sent

Ledger and its third-party partners have suffered multiple large-scale data breaches over the past few years, resulting in leaks of customer data, including physical addresses used for postal purposes, and physical threats.

Meanwhile, Trezor flagged a security breach that exposed the contact information of nearly 66,000 customers in January 2024.

In 2021, scammers mailed counterfeit Ledger Nano hardware wallets to victims of the 2020 Ledger data breach.

Physical letters prompting victims to scan QR codes were sent in April 2025, while in May, hackers used fake Ledger Live apps to steal seed phrases and drain crypto from victims.

Ledger alerted users to the physical mail phishing scam on its website in October.

