Criminals Use Postal Letters and QR Codes to Steal Crypto From Trezor and Ledger Wallet Owners

A new wave of cryptocurrency fraud is moving offline. Criminal groups are now targeting hardware wallet owners with professionally printed letters that impersonate trusted brands, urging recipients to complete urgent “security checks” or risk losing access to their funds.

The campaign primarily affects users ofspan>Trezor/span> andspan>Ledger/span>, two of the most widely used hardware wallet manufacturers in the digital asset industry. Unlike conventional phishing emails that are easily filtered or flagged, these scams arrive through physical mail, often in formal-looking envelopes that enhance their perceived legitimacy.

Recipients are instructed to scan a QR code and complete what the letter describes as a mandatory “Authentication Check” or “Transaction Check.” The notices warn of potential device disruption or restricted wallet functionality if action is not taken within a short deadline. Security researchers say the addition of countdown timers on cloned websites intensifies the pressure, pushing victims toward impulsive decisions.

Investigators have identified phishing domains designed to mimic official wallet setup portals, including variations such as trezor.authentication-check[.]io and ledger.setuptransactioncheck[.]com. While some of these domains have been taken offline, others remain active or were recently operational. The sites request a 12-, 20-, or 24-word recovery phrase under the pretense of verifying ownership or reactivating wallet features.

In reality, entering a recovery phrase on such a website hands full control of the wallet to attackers. Recovery phrases function as master keys. Anyone who obtains them can import the wallet onto another device and transfer all associated funds. Crucially, no legitimate hardware wallet company ever asks users to share recovery phrases via mail, email or web forms. Those phrases should only be entered directly on the physical device during an official restoration process.

Cybersecurity analysts suspect that historical data breaches may have exposed customer mailing details, enabling attackers to personalize and geographically target these letters. Both Trezor and Ledger have faced past incidents involving leaks of user contact information, although authorities have not confirmed whether those breaches are directly linked to the current campaign.

The shift to postal phishing represents a tactical evolution. Physical correspondence bypasses email spam filters and exploits a lingering assumption that printed mail carries institutional credibility. By combining traditional mail with QR codes, scammers bridge offline trust with online exploitation.

Security experts urge wallet owners to treat unsolicited letters demanding urgent action as highly suspicious. Users should avoid scanning QR codes from unknown sources and instead verify any security claims by manually visiting official company websites through bookmarked links. Monitoring manufacturer announcements for confirmed updates or security advisories remains essential.

As cryptocurrency adoption expands, so too does the sophistication of fraud. This latest campaign underscores a simple but critical principle in digital asset security: control of the recovery phrase equals control of the funds. Once surrendered, there is no mechanism to reverse the loss. In an industry built on self-custody, vigilance is not optional.