A new phishing campaign is targeting cryptocurrency hardware wallet users through an unusual vector: physical mail. Threat actors are sending fake letters impersonating Trezor and Ledger security teams, attempting to trick users into surrendering their wallet recovery phrases.
The Snail Mail Attack Vector
Unlike traditional email phishing, these attacks arrive as physical letters printed on official-looking letterhead. The letters claim recipients must complete a mandatory “Authentication Check” or “Transaction Check” to avoid losing access to their wallet functionality.
Each letter includes a QR code that, when scanned, directs victims to malicious websites designed to mimic official Trezor and Ledger setup pages. The phishing domains identified include:
- trezor.authentication-check[.]io
- ledger.setuptransactioncheck[.]com
How the Attack Works
The Trezor-themed letters warn users to complete the authentication process by a specific deadline, creating urgency. According to cybersecurity expert Dmitry Smilyanets who received and analyzed one of these letters, the message states:
“To avoid any disruption to your Trezor Suite access, please scan the QR code with your mobile device and follow the instructions on our website to enable Authentication Check.”
When victims proceed through the phishing site, they’re eventually prompted to enter their 12, 20, or 24-word recovery phrase—the cryptographic keys that control access to their cryptocurrency wallets. This information is transmitted to attackers via a backend API, allowing them to import the victim’s wallet onto their own devices and drain all funds.
Connection to Previous Data Breaches
The targeting criteria for these letters remains unclear, but both Trezor and Ledger have suffered data breaches in recent years that exposed customer contact information, including physical addresses. This likely provides threat actors with the mailing lists needed to conduct this campaign.
Physical mail phishing targeting crypto users isn’t entirely new. In 2021, attackers mailed modified Ledger devices designed to steal recovery phrases during setup—a more sophisticated variant of the same attack concept.
Critical Security Reminder
Legitimate hardware wallet manufacturers will NEVER ask users to enter their recovery phrase on a website, through email, or via any digital interface. Recovery phrases should only ever be entered directly on the hardware wallet device itself when restoring a wallet.
Anyone possessing your recovery phrase has complete control over your cryptocurrency assets. Treat these words with the same security as you would the keys to a safe containing your entire net worth.
Defensive Recommendations
- Never scan QR codes from unsolicited mail claiming to be from hardware wallet companies
- Verify any security communications by visiting official websites directly (not via links or QR codes)
- Contact Trezor or Ledger support through official channels if you receive suspicious mail
- Never enter recovery phrases on computers, phones, or websites under any circumstances
- Report phishing attempts to help protect others in the cryptocurrency community
