A new wave of offline phishing attacks is targeting owners of Trezor and Ledger hardware wallets. Instead of traditional scam emails, attackers are sending carefully crafted paper letters by regular mail, impersonating the security teams of these manufacturers. The objective is predictable — to trick users into revealing their seed phrases and fully compromise their cryptocurrency holdings — but the offline delivery method and level of impersonation make this campaign particularly noteworthy.
Paper phishing letters impersonating Trezor and Ledger support
Recipients report receiving physical envelopes containing professionally formatted letters that appear to originate from Trezor or Ledger security departments. The documents use official logos, branding elements and corporate-style language, closely mimicking legitimate manufacturer communications to build trust.
The letters describe a supposedly new mandatory security procedure, often framed as an “authentication check” or “transaction verification.” Users are urged to scan an enclosed QR code and complete verification on a “dedicated security page” by a strict deadline, or risk losing access to some wallet functionality.
In one case, a letter posing as Trezor support specified a deadline of 15 February 2026. Similar letters spoofing Ledger referenced 15 October 2025. These precise dates are designed to create artificial urgency, a classic social engineering tactic that pressures victims into acting quickly without critically examining the request.
From QR code to stolen seed phrase: full attack chain
The QR codes embedded in the letters direct victims to phishing websites that visually replicate the official Trezor and Ledger portals. Layout, colors, typography and wording are closely copied, so users who do not carefully inspect the browser address bar are unlikely to notice the deception.
On these fake sites, visitors are warned about supposed risks: potential transaction signing errors, firmware update problems or upcoming restrictions on wallet usage. To “confirm ownership of the device” and “complete the security configuration,” the user is ultimately asked to enter their 12, 20 or 24-word seed phrase into a web form.
Some phishing pages even claim that only devices purchased before a certain date require this “authentication setup,” while newer devices are “preconfigured.” This narrative imitates legitimate firmware versioning and upgrade logic, adding further credibility to the scheme.
Once the seed phrase is entered, it is immediately transmitted to the attackers via backend or API services. Because a seed phrase is the master key to all assets stored in a hardware wallet, its compromise gives criminals full control over the funds. They can rapidly transfer cryptocurrency to their own addresses, with no way to reverse the transactions.
Why crypto phishing is moving from inboxes to mailboxes
This campaign is part of a broader trend: phishing attacks moving into the physical world. In previous incidents, criminals have mailed fake or tampered Ledger-like devices to users, attempting to intercept secrets during initial setup. Fake paper notices allegedly from Ledger were also reported in early 2025.
By choosing offline channels, attackers bypass common technical defenses such as spam filters, email authentication checks and corporate anti-phishing gateways. A printed letter containing the recipient’s real name and postal address is often perceived as more “official” and trustworthy than an unsolicited email.
Data leaks and targeted victim selection
A key enabler of these attacks is access to customer data from past breaches. Hardware wallet vendors and related services have previously suffered data leaks exposing names, email addresses and physical mailing addresses. Notably, Ledger publicly acknowledged a customer data breach in 2020 that impacted contact information for hundreds of thousands of users.
Armed with physical addresses, attackers can mount highly targeted offline phishing campaigns, crafting letters that appear personally addressed and tailored. This significantly increases the likelihood that a recipient will scan the QR code or visit the malicious URL without independently verifying its authenticity.
How hardware wallet owners can defend against offline phishing
The most important security principle remains unchanged: legitimate hardware wallet manufacturers will never ask for your full seed phrase via email, phone, web form or postal mail. A seed phrase should only ever be entered directly on the hardware device itself, or in official wallet software obtained from a verified source, and only when the user initiates a recovery process.
Any unexpected message — digital or physical — referring to “urgent security verification,” “mandatory authentication” or “transaction confirmation” should be treated with extreme caution. A safer practice is to manually type the official website address into the browser and check the latest security notices or support articles there, instead of following links or QR codes in letters.
Physical letters requesting that you scan a QR code, follow a link to “update your wallet” or, especially, enter a seed phrase should be considered malicious by default. Such letters should be securely destroyed, and any embedded QR codes should not be scanned under any circumstances.
For additional protection, security professionals recommend enabling advanced hardware wallet features such as a BIP39 passphrase (sometimes called a “25th word”), distributing large balances across multiple independent wallets and periodically reviewing account and device security configurations.
As phishing campaigns grow more sophisticated and expand into offline channels, owners of Trezor, Ledger and other hardware wallets should reassess their security habits. Treat all “official” correspondence with skepticism, verify information only through trusted sources and continuously educate yourself about evolving social engineering techniques. This combination of technical safeguards and informed vigilance remains one of the most effective ways to preserve control over your crypto assets.
