Cybercriminals are sending physical letters impersonating Trezor and Ledger in a new phishing campaign aimed at stealing cryptocurrency funds. The letters look official and include company logos and professional formatting.
The fake notices instruct recipients to complete a mandatory “Authentication Check” or “Transaction Check.” They warn users that failure to act before February 15, 2026 could lead to limited wallet access or device issues.
Each letter includes a QR code that directs users to a malicious website. The site asks victims to enter their 12-, 20-, or 24-word recovery phrase, claiming it is needed to verify device ownership.
Once users enter the recovery phrase, the information is sent to attackers through backend systems. With that phrase, hackers gain full control of the wallet and can immediately transfer or drain all funds.
Cybersecurity experts say the campaign creates urgency by claiming newer devices come pre-configured, pressuring older customers to act quickly. The messages warn of signing errors, limited functionality, and disrupted updates.
Both Trezor and Ledger have suffered data breaches in past years that exposed some customer contact details. Investigators believe attackers may be using leaked mailing information to target victims.
Hardware wallet companies clearly state that they never ask users to share recovery phrases by mail, email, phone, or website. Recovery phrases should only be entered directly on the hardware device when restoring a wallet.
Security experts urge crypto holders to ignore such letters and remember a simple rule: Anyone who has your recovery phrase has full access to your crypto.
