Snail Mail Phishing Targets Trezor and Ledger Users
Snail Mail Phishing Targets Trezor and Ledger Users 🚨
Threat actors are sending physical letters pretending to be from Trezor and Ledger, makers of cryptocurrency hardware wallets, to trick users into submitting recovery phrases in crypto theft attacks. These phishing letters claim recipients must complete a mandatory “Authentication Check” or “Transaction Check” to avoid losing access to wallet functionality, creating a sense of urgency to pressure victims into scanning QR codes that lead to malicious websites.
The Phishing Scheme 🕵️♂️
Hardware wallet users report receiving snail mail letters printed on letterhead that impersonate official communications from Trezor and Ledger security and compliance teams. It is unclear what the targeting criteria are for these letters, but both Trezor and Ledger have suffered data breaches in the past couple of years that have exposed customer contact information.
A letter impersonating Trezor received by cybersecurity expert Dmitry Smilyanets claims that an “Authentication Check will soon become a mandatory part of Trezor,” warning users to complete the process by February 15, 2026, or risk losing functionality on their devices.
“To avoid any disruption to your Trezor Suite access, please scan the QR code with your mobile device and follow the instructions on our website to enable Authentication Check by February 15th, 2026,” reads the fake Trezor letter.
A similar Ledger-themed letter was shared on X, claiming a “Transaction Check” would soon become mandatory and warning users to scan a QR code to enable the feature by October 15, 2025, to avoid disruptions. Scanning the QR codes leads victims to phishing sites impersonating official Trezor and Ledger setup pages, including: https://trezor.authentication-check.io/ and https://ledger.setuptransactioncheck.com/.
The Risks of Sharing Recovery Phrases ⚠️
While phishing emails targeting Trezor and Ledger users are common, physical mail phishing campaigns remain relatively rare. In 2021, threat actors mailed modified Ledger devices designed to steal recovery phrases during setup. Hardware wallet recovery phrases, also known as seed phrases, are textual representations of the private keys that control access to cryptocurrency wallets. Therefore, anyone who has access to a wallet’s recovery phrase gains full control over the wallet and its funds.
Important Reminder: Hardware wallet manufacturers such as Trezor and Ledger will never ask users to enter, scan, upload, or share their recovery phrase. Recovery phrases should be entered directly on the hardware wallet device when restoring a wallet, and never on a computer, mobile device, or website.