Beware of Cold Wallets! Trezor and Ledger users are receiving physical letters containing phishing QR codes in succession.

Cryptocurrency scam techniques are once again evolving. Recently, multiple hardware wallet users, including those of Trezor and Ledger, have reported receiving physical letters disguised as official notices. The letters instruct recipients to scan a QR code for mandatory verification, but in reality, they are designed to trick users into entering their seed phrases, allowing attackers to steal assets. Such attacks are not new and highlight the ongoing risks of personal data leaks and social engineering scams.

Physical letters disguised as official notices demand “identity verification” within a deadline

Cybersecurity team Dmitry Smilyanets pointed out that several users received paper letters signed by Trezor or Ledger, claiming that they need to complete an “Authentication Check” or “Transaction Check” within a certain timeframe, or their devices may be restricted.

Reports indicate that the letters are meticulously crafted, featuring forged signatures, brand logos, anti-counterfeit stickers, and include a verification QR code. In some cases, the letters even bear the signature of Trezor CEO Matěj Žák.

Scanning the QR code directs to a fake website, prompting users to input their seed phrases

Dmitry Smilyanets reported that the QR codes in the letters lead recipients to malicious websites that mimic official pages, requesting users to enter their wallet seed phrases to complete a so-called “security verification.” Once the seed phrase is entered, the data is transmitted via backend APIs to the attackers, allowing them to import the wallet on other devices and transfer assets.

Both Trezor and Ledger emphasize that they never, and will never, ask users for seed phrases via websites, emails, or physical letters. Once seed phrases are leaked, control of the wallet is effectively lost.

Origin of the attack: Ledger’s past data breaches as a targeting list

The precision of these physical scam letters is linked to data breaches over the past years. In 2020, Ledger experienced a security incident involving its e-commerce partner Shopify, which exposed the names and physical addresses of hundreds of thousands of customers. In 2023, Ledger Connect Kit also suffered a supply chain attack. Early 2024, Trezor reported that contact information for 66,000 users was inadvertently leaked.

Just last month, Ledger was hacked through a third-party payment provider, Global-e, resulting in the exposure of user names and contact details. Although the company stated that private keys and payment information were not compromised, this data could still be used for phishing attacks. Even if the hardware wallet itself remains secure, leaked user data can be exploited repeatedly.

(Ledger’s third-party payment provider Global-e experiences data breach; official response: “Wallet hardware remains secure.”)

Evolving scam methods: from emails to physical social engineering

Recent attack trends show that phishing tactics are shifting from emails and fake customer service messages to counterfeit apps, fake hardware devices, and even physical letters. Physical mail reduces user suspicion, especially when designed to look highly authentic, making it easier to deceive recipients. These continuous attacks reflect the risks associated with data protection and reliance on third-party services within the crypto industry.

Dmitry Smilyanets warns that the most crucial defense for users remains a fundamental principle: “Never disclose your seed phrase to anyone under any circumstances.” Amid ongoing cybersecurity incidents, enhancing user awareness and securing supply chains will continue to be key challenges for the industry.

This article originally appeared on Chain News ABMedia: “Beware of Cold Wallets! Trezor and Ledger Users Receive Phishing QR Code Physical Letters.”