Security researchers have uncovered a sophisticated and relatively rare phishing campaign targeting users of the leading hardware wallet brands, Trezor and Ledger. The campaign involves hackers sending physical letters via postal mail to potential victims, impersonating official communications from the wallet companies.
The fraudulent letters are printed on official-looking letterhead and use convincing logos. They create a false sense of urgency by claiming recipients must complete mandatory procedures such as an "Authentication Check" or "Transaction Check" by a specific deadline, with one Trezor-themed letter citing February 15, 2026. The letters warn that failure to comply will result in lost device functionality or disruption to services like Trezor Suite.
These letters direct users to scan embedded QR codes, which lead to malicious phishing websites. The sites are designed to mimic legitimate wallet interfaces and request users to enter their 12-, 20-, or 24-word recovery seed phrases under the pretense of verifying device ownership or enabling new features. Cybersecurity expert Dmitry Smilyanets, who received one such fake Trezor letter, noted the sophisticated social engineering tactics employed.
Once a victim enters their recovery phrase, the data is transmitted to the attackers' backend servers. This grants the threat actors full control over the victim's cryptocurrency wallet, allowing them to import the wallet onto their own devices and drain all funds. The phishing sites are crafted to accept recovery phrases in multiple formats, increasing their effectiveness.
This offline tactic is designed to bypass traditional digital security filters for email and SMS phishing. The targeting criteria for the mailings remains unclear, but it is suspected to be linked to past data breaches at both Trezor and Ledger, which exposed customer contact and mailing address information to potential attackers.
Both companies have reiterated fundamental security principles in response: hardware wallet manufacturers never ask users to share, enter, scan, or upload their recovery seed phrases through any channel. Seed phrases should only ever be entered directly on the physical hardware wallet device itself during a restoration process, never on a computer, mobile device, or website.
