Cryptocurrency scam techniques are once again evolving. Recently, multiple hardware wallet users, including those of Trezor and Ledger, have reported receiving physical letters disguised as official notices. The letters instruct recipients to scan a QR code for mandatory verification, but in reality, they are designed to trick users into entering their seed phrases, allowing attackers to steal assets. Such attacks are not new and highlight the ongoing risks of personal data leaks and social engineering scams.
Physical letters disguised as official notices demand “identity verification” within a deadline
Cybersecurity team Dmitry Smilyanets pointed out that several users received paper letters signed by Trezor or Ledger, claiming that they need to complete an “Authentication Check” or “Transaction Check” within a certain timeframe, or their devices may be restricted.
Reports indicate that the letters are meticulously crafted, featuring forged signatures, brand logos, anti-counterfeit stickers, and include a verification QR code. In some cases, the letters even bear the signature of Trezor CEO Matěj Žák.
Scanning the QR code directs to a fake website, prompting users to input their seed phrases
Dmitry Smilyanets reported that the QR codes in the letters lead recipients to malicious websites that mimic official pages, requesting users to enter their wallet seed phrases to complete a so-called “security verification.” Once the seed phrase is entered, the data is transmitted via backend APIs to the attackers, allowing them to import the wallet on other devices and transfer assets.
Both Trezor and Ledger emphasize that they never, and will never, ask users for seed phrases via websites, emails, or physical letters. Once seed phrases are leaked, control of the wallet is effectively lost.
Origin of the attack: Ledger’s past data breaches as a targeting list
The precision of these physical scam letters is linked to data breaches over the past years. In 2020, Ledger experienced a security incident involving its e-commerce partner Shopify, which exposed the names and physical addresses of hundreds of thousands of customers. In 2023, Ledger Connect Kit also suffered a supply chain attack. Early 2024, Trezor reported that contact information for 66,000 users was inadvertently leaked.
Just last month, Ledger was hacked through a third-party payment provider, Global-e, resulting in the exposure of user names and contact details. Although the company stated that private keys and payment information were not compromised, this data could still be used for phishing attacks. Even if the hardware wallet itself remains secure, leaked user data can be exploited repeatedly.
(Ledger’s third-party payment provider Global-e experiences data breach; official response: “Wallet hardware remains secure.”)
Evolving scam methods: from emails to physical social engineering
Recent attack trends show that phishing tactics are shifting from emails and fake customer service messages to counterfeit apps, fake hardware devices, and even physical letters. Physical mail reduces user suspicion, especially when designed to look highly authentic, making it easier to deceive recipients. These continuous attacks reflect the risks associated with data protection and reliance on third-party services within the crypto industry.
Dmitry Smilyanets warns that the most crucial defense for users remains a fundamental principle: “Never disclose your seed phrase to anyone under any circumstances.” Amid ongoing cybersecurity incidents, enhancing user awareness and securing supply chains will continue to be key challenges for the industry.
This article originally appeared on Chain News ABMedia: “Beware of Cold Wallets! Trezor and Ledger Users Receive Phishing QR Code Physical Letters.”
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Ledger Donjon Finds MediaTek Flaw Exposing Android Wallet Seeds
_Ledger Donjon exposed a MediaTek vulnerability that extracts Android wallet seed phrases in under 45 seconds, affecting millions of devices. CVE-2025-20435._
Ledger Donjon has uncovered a serious MediaTek vulnerability. It lets attackers pull wallet seed phrases from Android phones in seconds.
LiveBTCNews3h ago
Suspected hacker address responsible for CAKE and THE liquidation events, Venus incurs a $2.15 million shortfall
On March 15th, a suspected hacker address received 7,400 ETH from Tornado Cash, orchestrating liquidation events for CAKE and THE collateral that resulted in approximately $2.15 million in losses for Venus. The address manipulated THE price through complex operations, ultimately leading to the liquidation of its collateral on Venus, though substantial borrowed funds remain unpaid. Analysis suggests this event may have been a strategy employed to profit on a certain CEX.
GateNews6h ago
Venus Protocol Pauses THE Token Borrowing and Withdrawal Operations, Other Markets Operating Normally
Gate News reports that on March 15, Venus Protocol issued a security announcement stating that during the investigation of abnormal activity in the THE liquidity pool, preventive measures were taken to prevent further misuse, and all borrowing and withdrawal operations of THE tokens were immediately suspended. This measure will remain in effect until the investigation is concluded. Venus Protocol stated that other markets were unaffected and will continue to operate normally.
GateNews6h ago
Venus Protocol Allegedly Suffers Flash Loan Attack, THE Experiences Massive Liquidations
BNB Chain lending protocol Venus Protocol appears to have suffered a flash loan attack, resulting in massive liquidation of the token THE. The attacker has obtained approximately $3.6 million in assets, with liquidations ongoing. Currently, approximately 42 million THE tokens are awaiting liquidation.
GateNews8h ago
CCTV 315 Gala Exposes AI Large Model Data Poisoning Industry Chain, Pay to Manipulate AI Response Content
CCTV 315 Gala exposed the AI large model data "poisoning" industry chain, involving a business named GEO. Service providers charge fees to make client products stand out in AI models, spawning press release companies that become key links in data manipulation.
GateNews8h ago
Tether Freezes Approximately 11.96 Million USDT on Tron Chain Address
On March 15, Tether froze 11,960,680 USDT on a Tron chain address using the blacklist function of smart contracts. This action typically stems from law enforcement requests related to money laundering and fraud. Over the past several years, Tether has cumulatively frozen more than $4.2 billion in USDT.
GateNews9h ago
