Live On Bitcoin

Ledger and Trezor Users Targeted in Sophisticated Physical Mail Phishing Scam

Nikos Gournas
Feb 20, 2026By Nikos Gournas

A new wave of phishing attacks is targeting hardware wallet users — but this time, the scam isn’t arriving by email.


According to a report by BleepingComputer, scammers are sending highly convincing physical letters to customers of Ledger and Trezor, attempting to trick them into revealing their recovery phrases. The campaign represents an escalation in social engineering tactics within the crypto security landscape.


How the Physical Mail Scam Works

Unlike traditional phishing emails, this attack uses printed letters delivered to users’ home addresses.


The letters:


Appear professionally printed on high-quality paper


Include official-looking logos and branding


Use urgent language referencing a mandatory “Authentication Check” or “Transaction Check”


Set a deadline — often February 15, 2026 — to pressure recipients


One letter reviewed by cybersecurity expert Dmitry Smilyanets instructed Trezor users to scan a QR code to “enable Authentication Check” to avoid losing access to their wallet.


Some letters reportedly even included holograms and appeared to originate from a Pennsylvania address, increasing their perceived legitimacy.


However, these letters are completely fraudulent.


The Goal: Steal Your Recovery Phrase

Each letter contains a QR code that directs victims to a phishing website designed to mimic the official Ledger or Trezor websites.


The fake websites:


Closely copy branding, layout, and messaging


Warn of blocked access or transaction issues


Claim users must verify device ownership


Request the user’s 12-, 20-, or 24-word recovery phrase


Once entered, the recovery phrase is transmitted directly to scammers.


Because a recovery phrase (also known as a seed phrase) is the master key to a crypto wallet, anyone who obtains it gains full control of the funds. Transactions on blockchain networks are irreversible, meaning stolen assets cannot be recovered.


How to Identify the Fake Websites

Security experts warn that a website is fraudulent if:


The domain does not clearly end in Trezor.io or Ledger.com before the first forward slash


There are extra characters inserted between the company name and the domain extension


The site asks you to enter your seed phrase


A critical reminder:

Legitimate hardware wallet companies will never ask for your recovery phrase online.


Seed phrases should only ever be entered directly on the hardware device itself — never on a website, phone, or computer.


The safest practice is to manually type official website addresses into your browser rather than scanning QR codes or clicking links from unsolicited communications.


Why This Scam Is So Convincing

The campaign leverages urgency and confusion.


For example, one phishing page claimed:


“Complete Authentication Check setup by February 15, 2026 unless you purchased a Trezor Safe device after November 30, 2025.”


This messaging creates doubt by implying that some users must act immediately while others are exempt — a classic psychological tactic used in advanced phishing schemes.


The physical format also increases trust. Many people are more skeptical of email scams but assume printed mail is legitimate.


How Did Scammers Get Home Addresses?

It is not fully confirmed how attackers obtained recipients’ mailing addresses. However, both Ledger and Trezor have experienced data breaches in past years that exposed customer contact information.


Security analysts believe previously leaked customer data may now be fueling this targeted mail campaign.


At least one phishing domain associated with the scam has already been flagged as dangerous by browser security tools. Users attempting to visit it may see warnings in Chrome and other browsers advising them to leave the site immediately.


Critical Security Reminder for Hardware Wallet Users

If you own a hardware wallet:


Never share your recovery phrase with anyone


Never scan QR codes from unsolicited letters


Never enter your seed phrase on a website


Always access official sites by manually typing the URL


Treat urgent language and deadlines as red flags


Your recovery phrase is your wallet. If someone has it, they have your funds.


The Bigger Picture: Crypto Security Is Evolving

As cryptocurrency adoption grows, scam tactics are becoming more sophisticated. Attackers are now combining leaked personal data, physical mail, professional printing, and convincing web clones to target users more effectively.


This incident highlights a crucial truth in digital asset security:

Self-custody requires constant vigilance.


Hardware wallets like Ledger and Trezor provide strong protection — but no device can protect users who voluntarily give away their recovery phrase.


Staying informed and skeptical remains the strongest defense against phishing attacks in the crypto ecosystem.